GHSA-34q3-p352-c7q8

Source

https://github.com/advisories/GHSA-34q3-p352-c7q8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-34q3-p352-c7q8/GHSA-34q3-p352-c7q8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-34q3-p352-c7q8

Aliases

CVE-2024-1143

Published

2024-02-02T16:55:25Z

Modified

2024-11-28T05:33:48.180958Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Central Dogma Authentication Bypass Vulnerability via Session Leakage

Details

Vulnerability Overview

A vulnerability has been identified in Central Dogma versions prior to 0.64.1, allowing for the leakage of user sessions and subsequent authentication bypass. The issue stems from a Cross-Site Scripting (XSS) attack vector that targets the RelayState of Security Assertion Markup Language (SAML).

Impact

Successful exploitation of this vulnerability enables malicious actors to leak user sessions, leading to the compromise of authentication mechanisms. This, in turn, can facilitate unauthorized access to sensitive resources.

Patches

This vulnerability is addressed and resolved in Central Dogma version 0.64.1 Users are strongly encouraged to upgrade to this version or later to mitigate the risk associated with the authentication bypass.

Workarounds

No viable workarounds are currently available for this vulnerability. It is recommended to apply the provided patch promptly.

References

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-02T16:55:25Z"
}

References

Affected packages

Maven / com.linecorp.centraldogma:centraldogma-server

Package

Name: com.linecorp.centraldogma:centraldogma-server; View open source insights on deps.dev
Purl: pkg:maven/com.linecorp.centraldogma/centraldogma-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.64.1

Affected versions

0.*

0.17.0

0.18.0

0.19.0

0.20.0

0.20.1

0.21.0

0.21.1

0.22.0

0.23.0

0.24.0

0.25.0

0.26.0

0.27.0

0.28.0

0.28.1

0.29.0

0.30.0

0.31.0

0.32.0

0.32.1

0.33.0

0.34.0

0.35.0

0.35.1

0.36.0

0.37.0

0.38.0

0.39.0

0.39.1

0.39.2

0.40.0

0.40.1

0.41.0

0.41.1

0.41.2

0.41.3

0.41.4

0.42.0

0.43.0

0.43.1

0.43.2

0.43.3

0.43.4

0.44.0

0.44.1

0.44.2

0.44.3

0.44.4

0.44.5

0.44.6

0.44.7

0.44.8

0.44.9

0.44.10

0.44.11

0.44.12

0.44.13

0.44.14

0.45.0

0.45.1

0.46.0

0.46.1

0.47.0

0.47.1

0.48.0

0.49.0

0.49.1

0.50.0

0.51.0

0.51.1

0.52.0

0.52.1

0.52.2

0.52.3

0.52.4

0.52.5

0.52.6

0.53.0

0.53.1

0.54.0

0.55.0

0.55.1

0.55.2

0.56.0

0.56.1

0.56.2

0.57.0

0.57.1

0.57.2

0.57.3

0.58.0

0.58.1

0.59.0

0.60.0

0.60.1

0.61.0

0.61.1

0.61.2

0.61.3

0.61.4

0.61.5

0.62.0

0.62.1

0.63.0

0.63.1

0.63.2

0.63.3

0.64.0