Known issues

  • Security issues with Thrift RPC layer

    • Unlike REST requests, Thrift RPC requests do not go through Shiro authentication layer, which means they will be executed even if you are not authenticated by Shiro.

      • Still, a client must send the Authorization: bearer anonymous header at least, which should prevent most CSRF attacks.

      • If you want to reduce the attack surface even more, consider changing the hard-coded token "anonymous".

    • With Thrift RPC requests, the caller can specify arbitrary author of a commit, which can lead to authorship forgery.

    • Consider enforcing network-level access control over Thrift calls.

    • Note that the Thrift RPC layer is left only for backward compatibility, and will be removed in the future, in favor of the REST API.

Previously known issues

  • Privilege Escalation was found in Central Dogma. An attacker could exploit this using mirroring to the internal dogma repository that has a file managing the authorization of the project. The file could be overwritten by the mirror, resulting to Privilege Escalation.

    • This issue affects: Central Dogma artifacts from 0.17.0 to 0.51.1.

    • The impact: Attacker is able to have admin of a project using mirroring.

    • The component: Mirroring feature

    • The attack vector: The project of the Victim must give write permission to Guest role.

    • The fixed version: 0.52.0 and later.

    • Please check CVE-2021-38388 to get more information.

  • DOM based, Cross-site Scripting (XSS) was found in Central Dogma. An attacker could exploit this by convincing an authenticated user to visit a specifically crafted URL on a CentralDogma server, allowing for the execution of arbitrary scripts on the client-side browser, resulting to perform unauthorized actions.

    • This issue affects: Central Dogma artifacts from 0.17.0 to 0.40.1.

    • The impact: Attacker is able to have victim execute arbitrary JavaScript code in the browser.

    • The component: Notification feature

    • The attack vector: Victim must open a specifically crafted URL.

    • The fixed version: 0.41.0 and later.

    • Please check CVE-2019-6002 to get more information.

  • If you found security bugs, please let us know dl_oss_dev@linecorp.com or send Slack DM to maintainer.