CVE-2025-59345

Опубликовано: 17 сент. 2025

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators. This vulnerability is fixed in 2.1.0.

Ссылки

https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf
Vendor Advisory
https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-89vc-vf32-ch59
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:linuxfoundation:dragonfly:*:*:*:*:*:go:*:*

Версия до 2.1.10 (исключая)

EPSS

Процентиль: 29%

0.00104

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-306

Связанные уязвимости

GHSA-89vc-vf32-ch59

github

5 месяцев назад

Dragonfly doesn't have authentication enabled for some Manager’s endpoints