Dragonfly Job API Unauthenticated Access Vulnerability

A vulnerability exists in Dragonfly's Manager component, specifically in versions through 2.4.0, where the Job API endpoints lack proper authentication and authorization. This flaw allows unauthenticated users to access, modify, and delete jobs via the Manager API. The absence of authentication middleware and role-based access control (RBAC) authorization checks in the routing configuration is the root cause. Exploitation of this vulnerability could lead to unauthorized job management, information disclosure, service disruption, and resource exhaustion.

Impact

Exploitation of this vulnerability allows for complete unauthorized management of jobs through the Job API, including creating, modifying, and deleting jobs. This could disrupt normal file distribution services and lead to resource exhaustion by creating a large number of jobs.

Reproduction

The vulnerability can be reproduced by deploying Dragonfly on a Kubernetes cluster without authentication for the Job API endpoints. After deployment, the Manager API can be accessed without any authentication, allowing for unauthorized actions such as creating, modifying, and deleting jobs.

Remediation

The vulnerability has been fixed in Dragonfly version 2.4.1-rc.1. Users should update to this version. For those unable to update immediately, it is recommended to restrict network access to the Manager API, deploy an API gateway for authentication, and monitor abnormal access patterns to the Job API.