Impact
Yeti does not account for empty SECRET_KEY variables when generating cryptographic secrets for authentication, enabling attackers to forge valid JWTs for authentication.
https://github.com/yeti-platform/yeti-docker, prior to 4a67458c9dcf348951e4d921e5c5af28b33cee9e, would set the key to SECRET. Implications that this should be changed may not have been clear to the users.
Updates
2025-03-09: The original fix was incomplete, and providing insecure defaults would still leave the instance vulnerable. 2.3.1 fixes this.
Patches
Version 2.1.12 fixes this, versions prior to this are vulnerable.
Version 2.3.3 fixes this, versions prior to this are vulnerable.
Workarounds
Ensure the SECRET_KEY environment variable or config option is set randomly.
References
Fix: #1142
Impact
Yeti does not account for empty
SECRET_KEYvariables when generating cryptographic secrets for authentication, enabling attackers to forge valid JWTs for authentication.https://github.com/yeti-platform/yeti-docker, prior to 4a67458c9dcf348951e4d921e5c5af28b33cee9e, would set the key to
SECRET. Implications that this should be changed may not have been clear to the users.Updates
2025-03-09: The original fix was incomplete, and providing insecure defaults would still leave the instance vulnerable. 2.3.1 fixes this.
Patches
Version 2.1.12 fixes this, versions prior to this are vulnerable.Version 2.3.3 fixes this, versions prior to this are vulnerable.
Workarounds
Ensure the
SECRET_KEYenvironment variable or config option is set randomly.References
Fix: #1142