Nocobase Hard-Coded Cryptographic Key Vulnerability in JWT Service

A vulnerability exists in Nocobase versions up to 1.9.4 and 2.0.0-alpha.37 within the JWT Service component. The issue arises from an unknown function in the file 'jwt-service.ts', where the manipulation of the 'API_KEY' argument leads to the use of a hard-coded cryptographic key. This vulnerability allows for the remote forging of JSON Web Tokens (JWTs), which can be exploited to gain unauthorized administrative privileges, access sensitive data, manage user accounts, and retrieve OSS cloud keys. The vulnerability exploitation is publicly known and has been demonstrated.

Impact

Exploitation of this vulnerability allows for the unauthorized forging of JWTs, which can be used to bypass authentication and authorization mechanisms. This access can lead to the unauthorized management of user accounts, including administrative privileges, and access to sensitive data and cloud keys.

Reproduction

The vulnerability can be reproduced by deploying Nocobase using Docker with the default JWT key. After the application is running, JWTs can be forged by manipulating the 'API_KEY' argument, which will be accepted as valid by the application. This forged token can then be used to access protected resources or interfaces that require administrative privileges.

Remediation

Nocobase users are advised to change the default JWT key to a secure, custom value. While the documentation recommends this practice, it is not enforced, leaving many deployments vulnerable.