Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Central Dogma by LY Corporation

    CVE-2026-11748 (GCVE-0-2026-11748)

    Vulnerability from nvd – Published: 2026-06-22 02:37 – Updated: 2026-06-22 16:12
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11748",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:11:47.695670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-90",
                    "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:12:07.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-90",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:37:35.370Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11748",
        "datePublished": "2026-06-22T02:37:35.370Z",
        "dateReserved": "2026-06-09T06:50:03.618Z",
        "dateUpdated": "2026-06-22T16:12:07.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11746 (GCVE-0-2026-11746)

    Vulnerability from nvd – Published: 2026-06-22 02:35 – Updated: 2026-06-22 16:13
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11746",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:12:56.884349Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-798",
                    "description": "CWE-798 Use of Hard-coded Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:13:00.513Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-798",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:35:51.201Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11746",
        "datePublished": "2026-06-22T02:35:51.201Z",
        "dateReserved": "2026-06-09T06:48:47.296Z",
        "dateUpdated": "2026-06-22T16:13:00.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11745 (GCVE-0-2026-11745)

    Vulnerability from nvd – Published: 2026-06-22 02:33 – Updated: 2026-06-22 16:29
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11745",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:29:39.280352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-322",
                    "description": "CWE-322 Key Exchange without Entity Authentication",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:29:43.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-322",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:33:08.952Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11745",
        "datePublished": "2026-06-22T02:33:08.952Z",
        "dateReserved": "2026-06-09T06:46:10.431Z",
        "dateUpdated": "2026-06-22T16:29:43.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11748 (GCVE-0-2026-11748)

    Vulnerability from cvelistv5 – Published: 2026-06-22 02:37 – Updated: 2026-06-22 16:12
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11748",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:11:47.695670Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-90",
                    "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:12:07.208Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter without neutralizing LDAP filter metacharacters, allowing an unauthenticated attacker to manipulate the filter to cause authentication confusion and enumerate the directory structure."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-90",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:37:35.370Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-98q5-5qh2-7w75"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11748",
        "datePublished": "2026-06-22T02:37:35.370Z",
        "dateReserved": "2026-06-09T06:50:03.618Z",
        "dateUpdated": "2026-06-22T16:12:07.208Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11746 (GCVE-0-2026-11746)

    Vulnerability from cvelistv5 – Published: 2026-06-22 02:35 – Updated: 2026-06-22 16:13
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11746",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:12:56.884349Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-798",
                    "description": "CWE-798 Use of Hard-coded Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:13:00.513Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-798",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:35:51.201Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-2j95-gqxf-v3vg"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11746",
        "datePublished": "2026-06-22T02:35:51.201Z",
        "dateReserved": "2026-06-09T06:48:47.296Z",
        "dateUpdated": "2026-06-22T16:13:00.513Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11745 (GCVE-0-2026-11745)

    Vulnerability from cvelistv5 – Published: 2026-06-22 02:33 – Updated: 2026-06-22 16:29
    VLAI
    Summary
    A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    LY Corporation Central Dogma Unaffected: 0.84.0 , < * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11745",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:29:39.280352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-322",
                    "description": "CWE-322 Key Exchange without Entity Authentication",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:29:43.057Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "Central Dogma",
              "vendor": "LY Corporation",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.84.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L",
                "version": "4.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-322",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T02:33:08.952Z",
            "orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
            "shortName": "LY-Corporation"
          },
          "references": [
            {
              "url": "https://github.com/line/centraldogma/security/advisories/GHSA-vjfw-cpmh-xwv3"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb",
        "assignerShortName": "LY-Corporation",
        "cveId": "CVE-2026-11745",
        "datePublished": "2026-06-22T02:33:08.952Z",
        "dateReserved": "2026-06-09T06:46:10.431Z",
        "dateUpdated": "2026-06-22T16:29:43.057Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    JVNDB-2024-002342

    Vulnerability from jvndb - Published: 2024-05-13 17:27 - Updated:2024-05-13 17:27
    Severity
    Summary
    Central Dogma vulnerable to cross-site scripting
    Details
    Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79, CVE-2024-1143) because RelayState data is not properly treated when Central Dogma processes SAML messages. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002342.html",
      "dc:date": "2024-05-13T17:27+09:00",
      "dcterms:issued": "2024-05-13T17:27+09:00",
      "dcterms:modified": "2024-05-13T17:27+09:00",
      "description": "Central Dogma provided by LY Corporation contains a cross-site scripting vulnerability (CWE-79, CVE-2024-1143) because RelayState data is not properly treated when Central Dogma processes SAML messages.\r\n\r\nLY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.",
      "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-002342.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:central_dogma",
        "@product": "Central Dogma",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "9.3",
        "@severity": "Critical",
        "@type": "Base",
        "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
        "@version": "3.0"
      },
      "sec:identifier": "JVNDB-2024-002342",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/vu/JVNVU99669446/index.html",
          "@id": "JVNVU#99669446",
          "@source": "JVN"
        },
        {
          "#text": "https://www.cve.org/CVERecord?id=CVE-2024-1143",
          "@id": "CVE-2024-1143",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2024-1143",
          "@id": "CVE-2024-1143",
          "@source": "NVD"
        },
        {
          "#text": "https://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html#__RefHeading__8196_1983180497",
          "@id": "SAML v2.0 Errata 05, E90: RelayState sanitization",
          "@source": "Related document"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "Central Dogma vulnerable to cross-site scripting"
    }

    JVNDB-2019-000050

    Vulnerability from jvndb - Published: 2019-07-31 15:29 - Updated:2019-10-04 16:37
    Severity
    Summary
    Central Dogma vulnerable to cross-site scripting
    Details
    Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79). LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html",
      "dc:date": "2019-10-04T16:37+09:00",
      "dcterms:issued": "2019-07-31T15:29+09:00",
      "dcterms:modified": "2019-10-04T16:37+09:00",
      "description": "Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability (CWE-79).\r\n\r\nLINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000050.html",
      "sec:cpe": {
        "#text": "cpe:/a:linecorp:central_dogma",
        "@product": "Central Dogma",
        "@vendor": "LY Corporation",
        "@version": "2.2"
      },
      "sec:cvss": [
        {
          "@score": "4.3",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "@version": "2.0"
        },
        {
          "@score": "6.1",
          "@severity": "Medium",
          "@type": "Base",
          "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "@version": "3.0"
        }
      ],
      "sec:identifier": "JVNDB-2019-000050",
      "sec:references": [
        {
          "#text": "https://jvn.jp/en/jp/JVN94889214/index.html",
          "@id": "JVN#94889214",
          "@source": "JVN"
        },
        {
          "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6002",
          "@id": "CVE-2019-6002",
          "@source": "CVE"
        },
        {
          "#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-6002",
          "@id": "CVE-2019-6002",
          "@source": "NVD"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "Central Dogma vulnerable to cross-site scripting"
    }