Opsre Go-Ldap-Admin Hard-Coded JWT Key Vulnerability Allowing Authorization Bypass

A vulnerability exists in Opsre Go-Ldap-Admin versions prior to 20251011, specifically within the JWT Handler component. The issue arises from the default JWT secret key being hard-coded and not properly managed. This flaw allows for the manipulation of the JWT token, enabling unauthorized access to sensitive backend operations. The vulnerability can be exploited remotely, and while it requires some technical knowledge to execute, a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for JWT forgery, bypassing authorization mechanisms to access restricted backend interfaces. This could lead to unauthorized operations within the application.

Reproduction

The vulnerability can be reproduced by deploying Opsre Go-Ldap-Admin using the default Docker Compose configuration. After the application is running, the hard-coded JWT secret key can be exploited by manipulating the JWT token to include a forged identity, such as an administrator user ID. This forged token can then be used to access sensitive API endpoints that require authorization.