📦 Dragonfly

Dragonfly versions 2.4.1-rc.0 and below have missing authentication and authorization checks on Job API endpoints, allowing unauthenticated users with network access to the Manager API to view, modify...

This vulnerability in Dragonfly allows peers to create or read arbitrary files on other peers' systems via gRPC and HTTP APIs, enabling data theft and remote code execution. It affects all Dragonfly u...

Dragonfly Manager web UI endpoints /api/v1/jobs and /preheats lack authentication in versions before 2.1.0, allowing unauthenticated attackers to create, delete, and modify jobs. This enables denial-o...

CVE-2023-27584 is a critical authentication bypass vulnerability in Dragonfly, an open-source P2P file distribution system, due to a hardcoded JWT secret key. This allows attackers to impersonate admi...

A denial-of-service vulnerability in Dragonfly's P2P file distribution system allows attackers to bypass rate limiting by exploiting an uninitialized variable in traffic tracking. This affects all Dra...

Dragonfly versions before 2.1.0 use MD5 hashing for file verification, which is cryptographically broken and allows attackers to create malicious files with the same hash as legitimate files. This aff...

Dragonfly versions before 2.1.0 contain a nil pointer dereference vulnerability where code panics when a function returns an error but its first return value is still dereferenced. This affects all Dr...

Dragonfly's proxy access control mechanism prior to version 2.1.0 uses simple string comparisons vulnerable to timing attacks. Attackers can guess passwords character-by-character by measuring executi...

Dragonfly Manager versions before 2.1.0 have disabled TLS certificate verification in HTTP clients, making them vulnerable to man-in-the-middle attacks. An attacker can intercept network traffic and p...