# Vulnerability Summary ## Overview This vulnerability involves JWT authentication bypass caused by two flaws: 1. **Hardcoded JWT Secret**: `TokenManager` uses a hardcoded default secret `asdwqe`, causing all default deployments to share the same key. 2. **Self-comparison Logic**: `AuthenticationInterceptor` compares the password extracted from the token with itself during validation, resulting in the verification always returning `true`. ## Impact Scope - Attackers can forge valid JWTs for any user without knowing the actual password. - All deployments using default configuration are affected. ## Remediation 1. **Remove Hardcoded Secret**: Remove the hardcoded default secret in `TokenManager.java` and automatically generate a random secret at startup. 2. **Fix Validation Logic**: In `AuthenticationInterceptor.java`, compare the token password with the BCrypt hash stored in the database instead of comparing it with the password within the token itself. 3. **Configure Secret**: Add a `jwt.token.secret` configuration item in `application.yaml` so users can discover and set a custom secret. ## POC Code ```java // TokenManager.java if (StringUtils.isEmpty(tokenSecret) || tokenSecret.length() < 16) { log.warn("jwt.token.secret is not configured or too short, generating random secret"); tokenSecret = java.util.UUID.randomUUID().toString().replace("-", "") + java.util.UUID.randomUUID().toString().replace("-", ""); } // AuthenticationInterceptor.java return (username.equals(tokenUsername) && password.equals(tokenPassword) && !(isExpired(token))); ```