CVE-2023-27584

Description

Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly

How to fix CVE-2023-27584

To remediate CVE-2023-27584, upgrade the affected package to a fixed version below.

• Go/d7y.io/dragonfly/v2—upgrade to 2.1.0-beta.1 or later
• Go/d7y.io/dragonfly/v2—upgrade to 2.1.0-beta.1 or later

Is CVE-2023-27584 being exploited?

Likely — EPSS is 66.2%, placing CVE-2023-27584 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

• >= 2.1.0-alpha.0, < 2.1.0-beta.1
• from 0, < 2.1.0-beta.1

CVSS scores

References (7)

• ADVISORYgithub.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-27584
• PATCHgithub.com/dragonflyoss/Dragonfly2
• WEBgithub.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433