CVE-2023-31581: 
Java vulnerability analysis and mitigation

Dromara Sureness before version 1.0.8 was discovered to contain a hardcoded cryptographic key vulnerability (CVE-2023-31581). The vulnerability was identified in the JsonWebTokenUtil class where a hardcoded secret key was used for creating and verifying JSON Web Tokens (JWTs). This security issue was disclosed on September 6, 2022, and affects the authentication mechanism of web-based APIs (GitHub Issue, Advisory).

The vulnerability exists in the JsonWebTokenUtil class within the com.usthe.sureness.util package. The issue stems from using a predictable/constant cryptographic key for JWT operations, which violates security implementation specifications for JWT. This vulnerability is classified as CWE-798 (Use of Hard-coded Credentials) and has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The presence of a hardcoded cryptographic key could allow attackers to craft arbitrary JWT tokens and subsequently bypass authentication mechanisms for web-based APIs. This vulnerability compromises the security of applications using the affected versions of Sureness, potentially leading to unauthorized access to protected resources (Advisory).

The vulnerability has been fixed in Sureness version 1.0.8 and later. Users are recommended to upgrade to the latest version. For those unable to upgrade immediately, it is recommended to avoid using the default key configuration and implement a more secure way to store and manage JWT secrets, following NIST Special Publication 800-57 guidelines (GitHub Issue).