Lucene search

GoogleOSV:CVE-2023-24828

HistoryFeb 08, 2023 - 12:15 a.m.

CVE-2023-24828

2023-02-0800:15:08

Google

osv.dev

onedev

git server

privilege elevation

vulnerability

upgrade

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.3%

JSON

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CPENameOperatorVersion
onedeveq7.3.14
onedeveq4.2.2
onedeveq7.4.26
onedeveq6.3.8
onedeveq7.3.6
onedeveq4.6.0
onedeveq7.1.7
onedeveq6.3.1
onedeveq7.0.8
onedeveq7.7.7

Name	Operator	Version
onedev	eq	7.3.14
onedev	eq	4.2.2
onedev	eq	7.4.26
onedev	eq	6.3.8
onedev	eq	7.3.6
onedev	eq	4.6.0
onedev	eq	7.1.7
onedev	eq	6.3.1
onedev	eq	7.0.8
onedev	eq	7.7.7

Rows per page:

1-10 of 2491

References

github.com/theonedev/onedev/commit/d67dd9686897fe5e4ab881d749464aa7c06a68e5

github.com/theonedev/onedev/security/advisories/GHSA-jf5c-9r77-3j5j

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.3%

JSON

Related for OSV:CVE-2023-24828