CVE-2021-21246
published 2021-01-15CVE-2021-21246: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only…
PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
49.05%
98.7th percentile
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onedev_project | onedev | < 4.0.3 | 4.0.3 |
| theonedev | onedev | < 4.0.3 | 4.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Shodan/FOFA asset discovery: search for OneDev instances using title:"OneDev" (Shodan) or title="OneDev" (FOFA) to identify exposed targets. ↗
- →No authentication is required to exploit this endpoint; any unauthenticated GET to /rest/users/{id} on OneDev < 4.0.3 will return the user's access token. ↗
- ·The leaked access tokens grant full access to all projects accessible by the affected user account, including API access and HTTP(S) code cloning — treat any exposed token as fully compromised. ↗
- ·The vulnerability was fully remediated in OneDev 4.0.3 by removing user info (including access tokens) from the REST API entirely; detection rules will produce no findings on patched instances. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
OneDev < 4.0.3 - User Access Token Leak
nuclei·CVSS 7.5
CVE-2021-21246 [HIGH] OneDev < 4.0.3 - User Access Token Leak
OneDev < 4.0.3 - User Access Token Leak
OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/{id}, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions.
Template:
id: CVE-2021-21246
info:
name: OneDev < 4.0.3 - User Access Token Leak
author: DhiyaneshDk
severity: high
description: |
OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/{id}, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions.
impact: |
Attackers can access sensitive user data and tokens, le
No writeups or analysis indexed.
https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gxhttps://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx
2021-01-15
Published