Skip to content

[Vulnerability] EquinoxProject has a hard coded JWT Secret that may lead to unauthorized risks #219

Description

@lx915

Description
This project is an open source project, and any user can access the hard coded JWT Secret in this project. At the same time, there are no warning prompts when starting the project using the default JWT Secret value, so most users may not modify this JWT Secret default value, which may allow attackers to forge arbitrary user permission tokens, thereby bypassing authentication and authorization mechanisms and accessing protected interfaces.

Image https://github.com/EduardoPires/EquinoxProject/blob/master/src/Equinox.Services.Api/appsettings.Staging.json#L15

Influence
-Attackers can forge any user's JWT
-Can impersonate administrators or high privilege accounts to access sensitive interfaces
-The user identity authentication mechanism has failed
-May lead to data leakage, unauthorized operations, or account takeover

Fix
JWT Secret can be placed in the system environment variable or disabled from starting projects with default values.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions