Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNHEzLXAzNTItYzdxOM4AA5Bm
Central Dogma Authentication Bypass Vulnerability via Session Leakage
Vulnerability Overview
A vulnerability has been identified in Central Dogma versions prior to 0.64.1, allowing for the leakage of user sessions and subsequent authentication bypass. The issue stems from a Cross-Site Scripting (XSS) attack vector that targets the RelayState of Security Assertion Markup Language (SAML).
Impact
Successful exploitation of this vulnerability enables malicious actors to leak user sessions, leading to the compromise of authentication mechanisms. This, in turn, can facilitate unauthorized access to sensitive resources.
Patches
This vulnerability is addressed and resolved in Central Dogma version 0.64.1 Users are strongly encouraged to upgrade to this version or later to mitigate the risk associated with the authentication bypass.
Workarounds
No viable workarounds are currently available for this vulnerability. It is recommended to apply the provided patch promptly.
References
Permalink: https://github.com/advisories/GHSA-34q3-p352-c7q8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNHEzLXAzNTItYzdxOM4AA5Bm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 10 days ago
CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-34q3-p352-c7q8, CVE-2024-1143
References:
- https://github.com/line/centraldogma/security/advisories/GHSA-34q3-p352-c7q8
- https://nvd.nist.gov/vuln/detail/CVE-2024-1143
- https://github.com/line/centraldogma/commit/8edcf913b88101aff70008156b0881850e005783
- https://github.com/advisories/GHSA-34q3-p352-c7q8
Blast Radius: 0.0
Affected Packages
maven:com.linecorp.centraldogma:centraldogma-server
Dependent packages: 5Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.64.1
Fixed in: 0.64.1
All affected versions: 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.28.1, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.32.1, 0.33.0, 0.34.0, 0.35.0, 0.35.1, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.39.1, 0.39.2, 0.40.0, 0.40.1, 0.41.0, 0.41.1, 0.41.2, 0.41.3, 0.41.4, 0.42.0, 0.43.0, 0.43.1, 0.43.2, 0.43.3, 0.43.4, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.44.5, 0.44.6, 0.44.7, 0.44.8, 0.44.9, 0.44.10, 0.44.11, 0.44.12, 0.44.13, 0.44.14, 0.45.0, 0.45.1, 0.46.0, 0.46.1, 0.47.0, 0.47.1, 0.48.0, 0.49.0, 0.49.1, 0.50.0, 0.51.0, 0.51.1, 0.52.0, 0.52.1, 0.52.2, 0.52.3, 0.52.4, 0.52.5, 0.52.6, 0.53.0, 0.53.1, 0.54.0, 0.55.0, 0.55.1, 0.55.2, 0.56.0, 0.56.1, 0.56.2, 0.57.0, 0.57.1, 0.57.2, 0.57.3, 0.58.0, 0.58.1, 0.59.0, 0.60.0, 0.60.1, 0.61.0, 0.61.1, 0.61.2, 0.61.3, 0.61.4, 0.61.5, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.63.2, 0.63.3, 0.64.0
All unaffected versions: 0.64.1, 0.64.2, 0.64.3