Onedev Project Onedev vulnerabilities
18 known vulnerabilities affecting onedev_project/onedev.
Total CVEs
18
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH9MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2024-45309P1HIGHCVSS 7.5ExploitedPoCfixed in 11.0.92024-10-21
CVE-2024-45309 [HIGH] CWE-200 CVE-2024-45309: OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9
OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.
nvd
CVE-2021-21246P2HIGHCVSS 7.5PoCfixed in 4.0.32021-01-15
CVE-2021-21246 [HIGH] CWE-862 CVE-2021-21246: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpo
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! T
nvd
CVE-2021-21242P2CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21242 [CRITICAL] CWE-74 CVE-2021-21242: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnera
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-au
nvd
CVE-2021-21243P2CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21243 [CRITICAL] CWE-74 CVE-2021-21243: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at Ku
nvd
CVE-2022-39206P2CRITICALCVSS 9.9fixed in 7.3.02022-09-13
CVE-2022-39206 [CRITICAL] CWE-610 CVE-2022-39206: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous p
nvd
CVE-2022-39205P2CRITICALCVSS 9.8fixed in 7.3.02022-09-13
CVE-2022-39205 [CRITICAL] CWE-287 CVE-2022-39205: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push eve
nvd
CVE-2021-21251P2HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21251 [HIGH] CWE-22 CVE-2021-21251: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip sli
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. During the untar
nvd
CVE-2021-21249P3HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21249 [HIGH] CWE-74 CVE-2021-21249: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to ru
nvd
CVE-2021-21245P3CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21245 [CRITICAL] CWE-434 CVE-2021-21245: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet als
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed
nvd
CVE-2023-24828P3HIGHCVSS 8.8fixed in 7.9.122023-02-08
CVE-2023-24828 [HIGH] CWE-338 CVE-2023-24828: Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm
Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been ad
nvd
CVE-2021-21248P3HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21248 [HIGH] CWE-74 CVE-2021-21248: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnera
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting
nvd
CVE-2021-21247P3HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21247 [HIGH] CWE-74 CVE-2021-21247: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can access this listener by submitting a POST request to any page. This issue may l
nvd
CVE-2021-21244P3CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21244 [CRITICAL] CWE-74 CVE-2021-21244: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability th
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.
nvd
CVE-2022-38301P3HIGHCVSS 8.8v7.4.142022-09-14
CVE-2022-38301 [HIGH] CWE-22 CVE-2022-38301: Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted f
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib.
nvd
CVE-2022-39208P3HIGHCVSS 7.5fixed in 7.3.02022-09-13
CVE-2022-39208 [HIGH] CWE-552 CVE-2022-39208: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all pro
nvd
CVE-2021-21250P3MEDIUMCVSS 6.5fixed in 4.0.32021-01-15
CVE-2021-21250 [MEDIUM] CWE-538 CVE-2021-21250: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnera
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. The
nvd
CVE-2022-39207P4MEDIUMCVSS 5.4fixed in 7.3.02022-09-13
CVE-2022-39207 [MEDIUM] CWE-79 CVE-2022-39207: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is p
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same context as the UI without any further restrictions. This
nvd
CVE-2021-32651P4MEDIUMCVSS 4.3fixed in 4.4.22021-06-01
CVE-2021-32651 [MEDIUM] CWE-90 CVE-2021-32651: OneDev is a development operations platform. If the LDAP external authentication mechanism is enable
OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter
nvd