Gaius-Qi

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** The `/api/v1/jobs` and `/preheats` endpoints in the Manager web UI are accessible without authentication. An unauthenticated adversary with network access to a Manager web UI can create, delete, and modify jobs, and create preheat jobs. An attacker can exploit this to create a large number of useless jobs, leading to a denial-of-service state where the Manager stops accepting requests from valid administrators. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly is a P2P-based file distribution and image acceleration system susceptible to a server-side request forgery (SSRF) vulnerability. This flaw allows users to force Dragonfly2’s components to make requests to internal services that are otherwise inaccessible. The issue stems from weak validation of user-supplied URLs when creating Preheat jobs via the Manager API, the `pieceManager.DownloadSource` method in peer-to-peer communication, and HTTP clients following redirects. This can lead to probing or access of internal HTTP endpoints. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly, an open source P2P-based file distribution and image acceleration system, disables TLS certificate verification in its HTTP clients. These clients are not configurable, preventing users from re-enabling verification. An attacker can perform a Man-in-the-Middle attack, providing invalid data to the Manager, leading to preheating with incorrect data, resulting in denial of service and file integrity issues. The vulnerable code snippet involves the `getAuthToken` function and the `TLSClientConfig` within the `http.Transport`, where `InsecureSkipVerify` is set to `true`. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** The `processPieceFromSource` method in Dragonfly does not correctly update the `usedTraffic` field within the Task structure due to the use of an uninitialized variable (`n`) instead of `result.Size` when calling the `AddTraffic` method. This incorrect rate limiting can lead to a denial-of-service condition for the peer processing the task. **Recommendations** Upgrade to Dragonfly version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly2 uses the `os.MkdirAll` function to create directory paths with specific access permissions. This function does not perform permission checks if a directory path already exists, allowing a local attacker to create a directory with broad permissions before Dragonfly2 does so, potentially enabling file tampering. An attacker with unprivileged access can introduce directories/paths with 0777 permissions before Dragonfly2 creates them, allowing deletion and forging of files in that directory. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** The access control mechanism for the Proxy feature uses simple string comparisons and is vulnerable to timing attacks. An attacker may attempt to guess the password character by character by sending possible characters to the vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerable code performs a short-circuiting equality operation to compare the username and password. The potential impact of successful exploitation is currently undetermined. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly is a P2P-based file distribution and image acceleration system. Prior to version 2.1.0, the first return value of a function is dereferenced even when the function returns an error, potentially resulting in a nil dereference and causing the code to panic. This issue was identified in the `server.Download` method where a malicious actor could cause the system to panic by sending a `dfdaemonv1.DownRequest` request. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly’s gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations and to read arbitrary files. This can allow peers to steal secret data and gain remote code execution (RCE) capabilities on the peer’s machine. The vulnerability is related to file handling within the `os.OpenFile()` and `io.Copy()` functions. The code snippet shows how the `DataFilePath` is used to open a file and how `io.Copy()` is used to copy data into the file, potentially allowing arbitrary file creation and modification. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** A peer can obtain a valid TLS certificate for arbitrary IP addresses, rendering the mTLS authentication ineffective. The Manager’s Certificate gRPC service does not validate if the requested IP addresses belong to the peer requesting the certificate. The vulnerable code parses a certificate signing request (CSR) and does not verify that the IP addresses within the CSR match the peer’s connection IP address. **Recommendations** Upgrade to version 2.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly2 uses the MD5 hash function for downloaded files, which does not provide collision resistance. This allows attackers to replace files with malicious ones that have a colliding hash. An attacker, such as Alice, can create an innocent image and a malicious image with colliding MD5 hashes. Bob may unintentionally use the malicious image after downloading it from the peer-to-peer network. The vulnerability is due to the use of the MD5 hash function in the `pieceDigests` variable and the subsequent comparison with `t.PieceMd5Sign`. **Recommendations** Upgrade to version 2.1.0 or above.

**Name of the Vulnerable Software and Affected Versions** Dragonfly versions prior to 2.1.0 **Description** Dragonfly, an open source P2P-based file distribution and image acceleration system, is susceptible to a Man-in-the-Middle attack. The scheduler for downloading small files was configured to use the HTTP protocol instead of HTTPS. This allows an attacker to intercept and modify network requests, potentially replacing legitimate data with malicious content. The vulnerability is exacerbated by weak integrity checks. The vulnerable code segment is located within the `DownloadTinyFile()` function. The target URL used in the vulnerable function is: `http://${host}:${port}/download/${taskIndex}/${taskID}?peerId=${peerID}`. **Recommendations** Upgrade to Dragonfly version 2.1.0 or later.