Impact
The affected Git mirror client for Central Dogma fails to verify the SSH host key when retrieving repositories over git+ssh. An attacker who can intercept the SSH traffic is able to pose as the remote Git server and supply malicious content, thereby corrupting the mirrored repository. This flaw can lead to the insertion of unauthorized commits or the alteration of existing code, directly damaging code integrity and potentially enabling further exploitation.
Affected Systems
Vulnerability targets the centraldogma-server-mirror-git component of LY Corporation’s Central Dogma, affecting versions older than 0.84.0. No other products or versions are listed as impacted.
Risk and Exploitability
The issue carries a high CVSS score of 8.8 and is not listed in CISA’s KEV catalog. Because host key validation is missing, any network attacker who can observe or modify git+ssh traffic can exploit the flaw, and an attacker who controls the mirror destination can supply a poisoned repository without detection. Although EPSS data is unavailable, the practical exploitability is high for environments without adequate network isolation or host key checking.
OpenCVE Enrichment