cbcvebase.
CVE-2021-21246
published 2021-01-15

CVE-2021-21246: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only…

PriorityP270high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
49.05%
98.7th percentile
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.

Affected

2 ranges
VendorProductVersion rangeFixed in
onedev_projectonedev< 4.0.34.0.3
theonedevonedev< 4.0.34.0.3

Detection & IOCsextracted from sources · hover to see the quote

url/rest/users/1
path/users/{id}
  • Shodan/FOFA asset discovery: search for OneDev instances using title:"OneDev" (Shodan) or title="OneDev" (FOFA) to identify exposed targets.
  • No authentication is required to exploit this endpoint; any unauthenticated GET to /rest/users/{id} on OneDev < 4.0.3 will return the user's access token.
  • ·The leaked access tokens grant full access to all projects accessible by the affected user account, including API access and HTTP(S) code cloning — treat any exposed token as fully compromised.
  • ·The vulnerability was fully remediated in OneDev 4.0.3 by removing user info (including access tokens) from the REST API entirely; detection rules will produce no findings on patched instances.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.