apache/submarine

Hard-coded JWT Key Vulnerability

laiyousin opened this issue · 0 comments

A hard-coded JWT (JSON Web Token) key vulnerability has been discovered, specifically within org.apache.submarine.commons.utils.SubmarineConfVars.ConfVars#SUBMARINE_AUTH_DEFAULT_SECRET, where the key is hardcoded as SUBMARINE_SECRET_12345678901234567890. It will pose a significant security risk by allowing attackers to generate unauthorized JWT tokens, potentially enabling them to bypass authentication mechanisms and access sensitive data and functionalities.

image