Publish GHSA-4hr2-xf7w-jf76

advisory-database[bot] · advisory-database[bot] · commit b5de81551a9a · 2025-12-04T16:59:17.000Z
diff --git a/advisories/github-reviewed/2025/12/GHSA-4hr2-xf7w-jf76/GHSA-4hr2-xf7w-jf76.json b/advisories/github-reviewed/2025/12/GHSA-4hr2-xf7w-jf76/GHSA-4hr2-xf7w-jf76.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4hr2-xf7w-jf76",
+  "modified": "2025-12-04T16:57:17Z",
+  "published": "2025-12-04T16:57:17Z",
+  "aliases": [
+    "CVE-2025-11222"
+  ],
+  "summary": "Central Dogma's Login Function Has an Open Redirect Vulnerability",
+  "details": "### Impact\nSuccessful exploitation of this vulnerability could allow an attacker to craft a malicious link that, when clicked by a victim, redirects them to a phishing website designed to mimic the legitimate Central Dogma login page. This could result in the compromise of user accounts and unauthorized access to the Central Dogma instance.\n\n### Patches\nThis vulnerability is addressed and resolved in Central Dogma version 0.78.0. The server operators who run Central Dogma server with Shiro authentication are strongly encouraged to upgrade to this version or later to mitigate the risk associated with the open redirect vulnerability.\n\n### Workarounds\nImplement `AuthProvider` to overrides `webLoginService()`.\n\n### References\n- https://cwe.mitre.org/data/definitions/601.html",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.linecorp.centraldogma:centraldogma-server-auth-shiro"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.78.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/line/centraldogma/security/advisories/GHSA-4hr2-xf7w-jf76"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11222"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/line/centraldogma/pull/1207"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/line/centraldogma/commit/95e7bbd77266493e4ec70b670bd91fa3e3289de0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/line/centraldogma"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-601"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-04T16:57:17Z",
+    "nvd_published_at": "2025-12-04T13:15:46Z"
+  }
+}
