Design/Logic Flaw

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener AbstractPostAjaxBehavior in all pages other than the login page. This listener decodes and deserializes the data query parameter. We can access this listener by...

Design/Logic Flaw

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data request.getInputStream to a user specified location request.getHeader"File-Name". This issue may lead to arbitrary file upload which can be used to upload a WebShell to...

Crlf injection

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job paramete...

Design/Logic Flaw

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migratebuildSpecString; which processes the XML document withou...

CVE-2021-21243

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue...

CVE-2021-21244

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...

CVE-2021-21244

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...

CVE-2021-21243

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue...

Input validation

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...

Authorization

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue...

CVE-2021-21245 Pre-Auth Arbitrary File Upload

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data request.getInputStream to a user specified location request.getHeader"File-Name". This issue may lead to arbitrary file upload which can be used to upload a WebShell to...

CVE-2021-21245

CVE-2021-21245 affects OneDev prior to 4.0.3, where AttachmentUploadServlet saves user-controlled data from the request into a user-specified path via File-Name header. This can enable arbitrary file upload and potential WebShell deployment on the OneDev server. The issue is addressed in 4.0.3 by...

CVE-2021-21246

OneDev before 4.0.3 exposes an insecure REST endpoint: GET /users/{id} lacks authorization checks, enabling retrieval of arbitrary user details and Access Tokens. This permits potential impersonation and sensitive data exposure across projects accessible by the user. The issue is fixed in version...

CVE-2021-21246 Pre-Auth Access token leak

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the /users/id endpoint there are no security checks enforced so it is possible to retrieve...

CVE-2021-21247

OneDev before 4.0.3 embeds an AJAX event listener (AbstractPostAjaxBehavior) on all pages except login, which decodes/deserializes the data parameter via POST. This authenticated vulnerability can be triggered by a logged-in user and may lead to post-auth RCE. The issue is mitigated in version 4....

CVE-2021-21249

CVE-2021-21249 affects OneDev prior to 4.0.3, where YAML parsing with SnakeYaml could deserialize arbitrary classes, enabling post-auth remote code execution. The root cause is unsafe deserialization when not using SafeConstructor, allowing crafted YAML to instantiate user-controlled classes (e.g...

CVE-2021-21249 Post-Auth Unsafe Yaml deserialization

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default when not using SafeConstructor allows the...

CVE-2021-21248 Post-Auth Arbitrary Code execution via Groovy script injection

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job paramete...

CVE-2021-21248

CVE-2021-21248 affects OneDev before 4.0.3. The vulnerability lies in the build endpoint parameters via InputSpec, which uses dynamically generated Groovy classes; an attacker who controls job parameters can inject Groovy code, leading to arbitrary code execution through a static constructor on t...

CVE-2021-21250

OneDev prior to 4.0.3 is affected by a critical XXE in BuildSpec XML processing: XmlBuildSpecMigrator.migrate(buildSpecString) expands external entities, allowing an attacker to read arbitrary filesystem files (if dumped into YAML properties) or exfiltrate data Out Of Band. The flaw is mitigated ...