Use of Hard-coded Cryptographic Key

CVE-2023-27583

High

9.8/10

Summary

The package github.com/px-org/PanIndex is a network disk directory index. In versions prior to 3.1.3, a hard-coded JWT key `PanIndex` is used. An attacker can use the hard-coded JWT key to sign the JWT token and perform any actions as a user with admin privileges. As a workaround, one may change the JWT key in the source code before compiling the project.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-321 - Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

References

Advisory
Release Note
Pull request

Advisory Timeline

Published Mar 13, 2023

Use of Hard-coded Cryptographic Key

CVE-2023-27583

Summary

CWE-321 - Use of Hard-coded Cryptographic Key

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS