DragonFly2

Findings · 19

1. 1 Authentication is not enabled for some Manager’s endpoints Undetermined
2. 2 Server-side request forgery vulnerabilities High
3. 3 Manager makes requests to external endpoints with disabled TLS authentication Low
4. 4 Incorrect handling of a task structure’s usedTrac field Low
5. 5 Directories created via os.MkdirAll are not checked for permissions Low
6. 6 Slicing operations with hard-coded indexes and without explicit length validation Informational
7. 7 Files are closed without error check Low
8. 8 Timing attacks against Proxy’s basic authentication are possible Undetermined
9. 9 Possible panics due to nil pointer dereference when using variables created alongside an error Medium
10. 10 TrimLeft is used instead of TrimPrefix Informational
11. 11 Vertex.DeleteInEdges and Vertex.DeleteOutEdges functions are not thread safe Undetermined
12. 12 Arbitrary file read and write on a peer machine High
13. 13 Manager generates mTLS certificates for arbitrary IP addresses High
14. 14 gRPC requests are weakly validated Undetermined
15. 15 Weak integrity checks for downloaded files High
16. 16 Invalid error handling, missing return statement Informational
17. 17 Tiny file download uses hard coded HTTP protocol High
18. 18 Incorrect log message Informational
19. 19 Usage of architecture-dependent int type Informational

Findings extracted from the published report PDF. See the full report below for details and remediation.