Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:CVE-2021-21248
HistoryJan 15, 2021 - 9:15 p.m.

CVE-2021-21248

2021-01-1521:15:13
Google
osv.dev
4
onedev
devops platform
vulnerability
build endpoint
inputspec
groovy
code injection
server
security patch

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

42.0%

JSON

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev’s server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input.

Related

prion 1
nvd 1
cvelist 1
cve 1
prion
prion
Crlf injection
2021-01-15 21:15:00
nvd
nvd
CVE-2021-21248
2021-01-15 21:15:13
cvelist
cvelist
CVE-2021-21248 Post-Auth Arbitrary Code execution via Groovy script injection
2021-01-15 20:10:30
cve
cve
CVE-2021-21248
2021-01-15 21:15:13

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

42.0%

JSON
Related for OSV:CVE-2021-21248
prion1nvd1cvelist1cve1