CVE-2022-39208
published 2022-09-13CVE-2022-39208: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.43%
69.7th percentile
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onedev_project | onedev | < 7.3.0 | 7.3.0 |
| theonedev | onedev | < 7.3.0 | 7.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.sonarsource.com/onedev-remote-code-execution/https://github.com/theonedev/onedev/commit/8aa94e0daf8447cdf76d4f27bfda0a85a7ea5822https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2https://blog.sonarsource.com/onedev-remote-code-execution/https://github.com/theonedev/onedev/commit/8aa94e0daf8447cdf76d4f27bfda0a85a7ea5822https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2
2022-09-13
Published