cbcvebase.

Theonedev Onedev vulnerabilities

22 known vulnerabilities affecting theonedev/onedev.

Total CVEs
22
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH9MEDIUM7

Vulnerabilities

Page 1 of 2
CVE-2024-45309P1HIGHCVSS 7.5ExploitedPoCfixed in 11.0.92024-10-21
CVE-2024-45309 [HIGH] CWE-200 CVE-2024-45309: OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.
nvd
CVE-2021-21246P2HIGHCVSS 7.5PoCfixed in 4.0.32021-01-15
CVE-2021-21246 [HIGH] CWE-862 CVE-2021-21246: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpo OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! T
nvd
CVE-2021-21242P2CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21242 [CRITICAL] CWE-74 CVE-2021-21242: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnera OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-au
nvd
CVE-2021-21243P2CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21243 [CRITICAL] CWE-74 CVE-2021-21243: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at Ku
nvd
CVE-2022-39206P2CRITICALCVSS 9.9fixed in 7.3.02022-09-13
CVE-2022-39206 [CRITICAL] CWE-610 CVE-2022-39206: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous p
nvd
CVE-2022-39205P2CRITICALCVSS 9.8fixed in 7.3.02022-09-13
CVE-2022-39205 [CRITICAL] CWE-287 CVE-2022-39205: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push eve
nvd
CVE-2021-21251P2HIGHCVSS 8.8fixed in 15.0.72021-01-15
CVE-2021-21251 [HIGH] CWE-22 CVE-2021-21251: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip sli OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. During the untar
nvd
CVE-2021-21249P3HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21249 [HIGH] CWE-74 CVE-2021-21249: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to ru
nvd
CVE-2021-21245P3CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21245 [CRITICAL] CWE-434 CVE-2021-21245: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet als OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed
nvd
CVE-2023-24828P3HIGHCVSS 8.8fixed in 7.9.122023-02-08
CVE-2023-24828 [HIGH] CWE-338 CVE-2023-24828: Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been ad
nvd
CVE-2021-21248P3HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21248 [HIGH] CWE-74 CVE-2021-21248: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnera OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting
nvd
CVE-2021-21247P3HIGHCVSS 8.8fixed in 4.0.32021-01-15
CVE-2021-21247 [HIGH] CWE-74 CVE-2021-21247: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can access this listener by submitting a POST request to any page. This issue may l
nvd
CVE-2021-21244P3CRITICALCVSS 9.8fixed in 4.0.32021-01-15
CVE-2021-21244 [CRITICAL] CWE-74 CVE-2021-21244: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability th OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.
nvd
CVE-2022-39208P3HIGHCVSS 7.5fixed in 7.3.02022-09-13
CVE-2022-39208 [HIGH] CWE-552 CVE-2022-39208: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all pro
nvd
CVE-2026-44647P3HIGHCVSS 7.1fixed in 15.0.22026-05-14
CVE-2026-44647 [HIGH] CWE-22 CVE-2026-44647: OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that bre OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account can access. User with push permission to any repository
nvd
CVE-2026-11441P3MEDIUMCVSS 6.3v15.0.0v15.0.1+4 more2026-06-06
CVE-2026-11441 [MEDIUM] CWE-266 CVE-2026-11441: A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the func A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this
nvd
CVE-2026-11440P3MEDIUMCVSS 6.3v15.0.0v15.0.1+4 more2026-06-06
CVE-2026-11440 [MEDIUM] CWE-266 CVE-2026-11440: A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mit
nvd
CVE-2026-11438P3MEDIUMCVSS 6.3v15.0.0v15.0.1+4 more2026-06-06
CVE-2026-11438 [MEDIUM] CWE-266 CVE-2026-11438: A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is a A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the af
nvd
CVE-2026-11439P3MEDIUMCVSS 6.3v15.0.0v15.0.1+4 more2026-06-06
CVE-2026-11439 [MEDIUM] CWE-266 CVE-2026-11439: A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown f A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this iss
nvd
CVE-2021-21250P3MEDIUMCVSS 6.5fixed in 4.0.32021-01-15
CVE-2021-21250 [MEDIUM] CWE-538 CVE-2021-21250: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnera OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. The
nvd
Theonedev Onedev vulnerabilities | cvebase