cbcvebase.
CVE-2024-45309
published 2024-10-21

CVE-2024-45309: OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
24.82%
97.6th percentile
OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.

Affected

2 ranges
VendorProductVersion rangeFixed in
onedev_projectonedev< 11.0.911.0.9
theonedevonedev< 11.0.911.0.9

Detection & IOCsextracted from sources · hover to see the quote

urlGET {{project}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}} HTTP/1.1
path/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/
sigma
HTTP GET request path contains '/~site/' followed by multiple '%2e%2e' path traversal sequences
  • Detect path traversal attempts targeting the OneDev `/~site/` endpoint with URL-encoded dot-dot sequences (`%2e%2e`) in HTTP GET requests — no authentication required for exploitation.
  • Successful exploitation returns HTTP 200 with `Content-Disposition: filename=` and `Content-Type: application/octet-stream` headers — alert on these response headers combined with a traversal path in the request.
  • A valid OneDev project name is required to exploit the vulnerability; attackers may brute-force project names using a wordlist if anonymous access is disabled.
  • If anonymous access is enabled, any unauthenticated visitor can enumerate existing project names, lowering the bar for exploitation — monitor for unauthenticated project listing requests.
  • Probe payloads target `/etc/passwd` (Linux) and `/windows/win.ini` (Windows) — alert on these file paths appearing in HTTP request URIs against OneDev instances.
  • ·The vulnerability affects OneDev versions prior to 11.0.9 (i.e., <= 11.0.8); version 11.0.9 contains the fix — ensure detections are scoped to unpatched instances.
  • ·The traversal payload uses multiple leading slashes (`////////`) before the `%2e%2e` sequences — detection rules must account for this slash-padding bypass technique and not rely solely on a single `../` pattern.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.