CVE-2024-8135

Name of the Vulnerable Software and Affected Versions: Go-Tribe gotribe up to cd3ccd32cd77852c9ea73f986eaf8c301cfb6310

Description: A critical vulnerability has been found in Go-Tribe gotribe. The issue affects the function Sign of the file pkg/token/token.go. The manipulation of the argument config.key leads to hard-coded credentials. The product uses continuous delivery with rolling releases, so no version details of affected or updated releases are available.

Recommendations: To fix this issue, it is recommended to apply a patch identified as 4fb9b9e80a2beedd09d9fde4b9cf5bd510baf18f. As a temporary workaround, consider disabling the Sign function until a patch is available. Restrict access to the pkg/token/token.go file to minimize the risk of exploitation. Avoid using the config.key argument in the affected function until the issue is resolved.