Lucene search

GitHub_MCVELIST:CVE-2021-21248

HistoryJan 15, 2021 - 8:10 p.m.

CVE-2021-21248 Post-Auth Arbitrary Code execution via Groovy script injection

2021-01-1520:10:30

CWE-74

GitHub_M

www.cve.org

onedev

4.0.3

security vulnerability

groovy script injection

arbitrary code execution

build endpoint parameters

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

42.0%

JSON

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev’s server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input.

CNA Affected

[
  {
    "product": "onedev",
    "vendor": "theonedev",
    "versions": [
      {
        "status": "affected",
        "version": "< 4.0.3"
      }
    ]
  }
]

References

github.com/theonedev/onedev/commit/39d95ab8122c5d9ed18e69dc024870cae08d2d60

github.com/theonedev/onedev/security/advisories/GHSA-gwp4-5498-hv5f

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

AI Score

9.6

Confidence

High

EPSS

0.001

Percentile

42.0%

JSON

Related for CVELIST:CVE-2021-21248