GFI Archiver Hard-Coded JWT Signing Key Vulnerability in ArchiverSpaApi

A vulnerability exists in the GFI Archiver application version 15.7, specifically within the ArchiverSpaApi component. The issue arises from the use of a hard-coded JSON Web Token (JWT) signing key, which allows an unauthenticated remote attacker to generate a verifiable JWT token. This token can then be used to access protected ArchiverSpaApi URL endpoints. To exploit this vulnerability, the attacker must have a valid UserGuid to include in the JWT token, impersonating an Archiver user. The UserGuid for the default Administrator user can be found in the application's profile directory.

Impact

Exploitation of this vulnerability allows for unauthorized access to protected API endpoints, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, first obtain the hard-coded JWT signing key from the ArchiverSpaApi application. Then, extract the UserGuid for the default Administrator user from the application's profile directory. With the UserGuid and the signing key, generate a JWT token and include the UserGuid to impersonate the Administrator. Finally, send a request to a protected ArchiverSpaApi endpoint, such as the saved searches endpoint, using the generated JWT token. The response will confirm successful exploitation by returning saved search data.

Remediation

Users are advised to upgrade to GFI Archiver version 15.9 or later.