CVE-2023-5074
Hard-coded Credentials in Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2
Executive Summary
CVE-2023-5074 is a critical severity vulnerability affecting pii-secrets. It is classified as Hard-coded Credentials. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.
Precogs AI Insight
"D-Link D-View 8 uses a static, hardcoded cryptographic key to sign JWT tokens. Attackers extract this key to forge valid administrative tokens, bypassing authentication and taking over the network management system. Precogs PII & Secrets Scanner specifically identifies hardcoded cryptographic materials."
What is this vulnerability?
CVE-2023-5074 is categorized as a critical Hard-coded Credentials flaw with a CVSS base score of 9.8. Based on our vulnerability intelligence, this issue occurs when the application fails to securely handle untrusted data boundaries.
Use of a static key to protect a JWT token used in user authentication can allow an for an authentication bypass in D-Link D-View 8 v2.0.1.28
This architectural defect enables adversaries to bypass intended security controls, directly manipulating the application's execution state or data layer. Immediate strategic intervention is required.
Risk Assessment
| Metric | Value |
|---|---|
| CVSS Base Score | 9.8 (CRITICAL) |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Published | September 20, 2023 |
| Last Modified | November 21, 2024 |
| Related CWEs | CWE-798, CWE-798 |
Impact on Systems
✅ Credential Theft: Exposed secrets enable unauthorized access to infrastructure, cloud services, and third-party integrations.
✅ Compliance Violation: Leaking PII or credentials may violate GDPR, HIPAA, PCI-DSS, and SOC 2 requirements.
✅ Supply Chain Risk: Compromised credentials in public repositories can propagate to downstream consumers.
How to Fix and Mitigate CVE-2023-5074
- Apply Vendor Patches: Upgrade affected components to their latest, non-vulnerable versions immediately.
- Implement Input Validation: Ensure all user-supplied data is validated, sanitized, and type-checked before processing.
- Deploy Runtime Protection: Use Precogs continuous monitoring to detect exploitation attempts in real time.
- Audit Dependencies: Review and update all third-party libraries and transitive dependencies.
Defending with Precogs AI
D-Link D-View 8 uses a static, hardcoded cryptographic key to sign JWT tokens. Attackers extract this key to forge valid administrative tokens, bypassing authentication and taking over the network management system. Precogs PII & Secrets Scanner specifically identifies hardcoded cryptographic materials.
Use Precogs to continuously scan your codebase, binaries, APIs, and infrastructure for this vulnerability class and related attack patterns. Our AI-powered detection engine combines static analysis with threat intelligence to identify exploitable weaknesses before attackers do.
Vulnerability Code Signature
Attack Data Flow
| Stage | Detail |
|---|---|
| Source | Source code repository |
| Vector | Secrets embedded directly in the codebase |
| Sink | Authentication API or database connection |
| Impact | Unauthorized access, data breach |
Vulnerable Code Pattern
// ❌ VULNERABLE: Hardcoded credential
public class DatabaseConfig {
// Taint sink: secret embedded in code
public static final String DB_PASSWORD = "SuperSecretPassword123!";
}
Secure Code Pattern
// ✅ SECURE: Environment variables
public class DatabaseConfig {
// Sanitized configuration
public static final String DB_PASSWORD = System.getenv("DB_PASSWORD");
}
How Precogs Detects This
Precogs PII & Secrets Scanner continuously monitors codebases for hardcoded secrets, API keys, and reversible encryption.\n