hcengineering Huly Platform JWT Token Hard-Coded Key Vulnerability

A vulnerability exists in hcengineering Huly Platform version 0.7.382 within the JWT token handling component. The issue arises from the use of a hard-coded cryptographic key in the token signing and verification process. When the SERVER_SECRET environment variable is not set, the application defaults to the string 'secret', which is publicly known and can be exploited. This vulnerability allows remote attackers to forge JWT tokens with elevated privileges, such as administrative rights, leading to a complete compromise of the affected platform.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, enabling attackers to manipulate user accounts and workspace data. This could involve deleting accounts or workspaces, impersonating users, or accessing sensitive information.

Reproduction

To reproduce this vulnerability, deploy hcengineering Huly Platform version 0.7.382 without configuring the SERVER_SECRET environment variable. The application will default to the hard-coded secret 'secret'. An attacker can then forge a JWT token by encoding a payload that includes administrative privileges, using the default secret. This token can be used to access admin-only APIs, effectively compromising the platform.

Remediation

It is recommended to remove the hard-coded secret fallback entirely and ensure that the SERVER_SECRET is explicitly configured before the application starts. Additionally, generate a cryptographically secure secret on the first deployment, enforce a minimum secret length, and implement a health check that warns about weak secrets.