Security issues with Thrift RPC layer
Unlike REST requests, Thrift RPC requests do not go through Shiro authentication layer, which means they will be executed even if you are not authenticated by Shiro.
Still, a client must send the
Authorization: bearer anonymousheader at least, which should prevent most CSRF attacks.
If you want to reduce the attack surface even more, consider changing the hard-coded token
With Thrift RPC requests, the caller can specify arbitrary author of a commit, which can lead to authorship forgery.
Consider enforcing network-level access control over Thrift calls.
Note that the Thrift RPC layer is left only for backward compatibility, and will be removed in the future, in favor of the REST API.
Previously known issues¶
Privilege Escalation was found in Central Dogma. An attacker could exploit this using mirroring to the internal dogma repository that has a file managing the authorization of the project. The file could be overwritten by the mirror, resulting to Privilege Escalation.
This issue affects: Central Dogma artifacts from 0.17.0 to 0.51.1.
The impact: Attacker is able to have admin of a project using mirroring.
The component: Mirroring feature
The attack vector: The project of the Victim must give write permission to Guest role.
The fixed version: 0.52.0 and later.
Please check CVE-2021-38388 to get more information.
DOM based, Cross-site Scripting (XSS) was found in Central Dogma. An attacker could exploit this by convincing an authenticated user to visit a specifically crafted URL on a CentralDogma server, allowing for the execution of arbitrary scripts on the client-side browser, resulting to perform unauthorized actions.
This issue affects: Central Dogma artifacts from 0.17.0 to 0.40.1.
The component: Notification feature
The attack vector: Victim must open a specifically crafted URL.
The fixed version: 0.41.0 and later.
Please check CVE-2019-6002 to get more information.