183 matches found
CVE-2021-21248
CVE-2021-21248 affects OneDev before 4.0.3. The vulnerability lies in the build endpoint parameters via InputSpec, which uses dynamically generated Groovy classes; an attacker who controls job parameters can inject Groovy code, leading to arbitrary code execution through a static constructor on t...
CVE-2021-21250
OneDev prior to 4.0.3 is affected by a critical XXE in BuildSpec XML processing: XmlBuildSpecMigrator.migrate(buildSpecString) expands external entities, allowing an attacker to read arbitrary filesystem files (if dumped into YAML properties) or exfiltrate data Out Of Band. The flaw is mitigated ...
CVE-2021-21250 Post-Auth External Entity Expansion (XXE)
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migratebuildSpecString; which processes the XML document withou...
CVE-2021-21251 ZipSlip Arbitrary File Upload
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library...
CVE-2021-21251
CVE-2021-21251 (OneDev) affects OneDev prior to version 4.0.3, where the KubernetesResource REST endpoint untars user‑supplied data via TarUtils (built on Apache Commons Compress). The untar process lacks checks to prevent files from traversing the filesystem and overwriting existing files, enabl...
CVE-2021-21242 Pre-Auth Unsafe Deserialization on AttachmentUploadServet
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the Attachment-Support header. This Servlet does not enforce any authentication or...
CVE-2021-21242
CVE-2021-21242 affects OneDev before version 4.0.3. The vulnerability lies in the AttachmentUploadServlet which deserializes untrusted data from the Attachment-Support header and does not enforce authentication/authorization, enabling pre-auth remote code execution. The issue is fixed in 4.0.3 by...
CVE-2021-21243
CVE-2021-21243 affects OneDev before version 4.0.3, where two Kubernetes REST endpoints deserialized untrusted data from the request body and did not enforce authentication or authorization. This can lead to pre-auth remote code execution. The issue is mitigated in 4.0.3 by avoiding deserializati...
CVE-2021-21244 Pre-Auth SSTI via Bean validation message tampering
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation...
CVE-2021-21244
CVE-2021-21244 affects OneDev before version 4.0.3. A pre-auth server-side template injection occurs via tampering with Bean validation messages, enabling SSTI. The root cause is failure in validation message handling that allows interpolation to be exploited. The issue was fixed in 4.0.3 by disa...
Theonedev Onedev 代码问题漏洞
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. Theonedev A code issue vulnerabili...
Theonedev Onedev 代码问题漏洞
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. OneDev versions prior to 4.0.3 hav...
PT-2021-14354 · Onedev · Onedev
Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3 Description: The issue is related to a pre-auth server side template injection via Bean validation message tampering in OneDev, an all-in-one devops platform. This was fixed in version 4.0.3 by disabling...
Theonedev Onedev 代码问题漏洞
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. Theonedev A security vulnerability...
Theonedev Onedev 代码代码注入漏洞
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. Theonedev An injection vulnerabili...
Theonedev Onedev 代码注入漏洞
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. OneDev version before 4.0.3 has a...
PT-2021-14358 · Onedev · Onedev
Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3 Description: OneDev is an all-in-one devops platform with a critical issue involving the build endpoint parameters. The InputSpec is used to define parameters of a Build spec, utilizing dynamically generated...
PT-2021-14356
Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3 Description: OneDev is an all-in-one devops platform. The REST UserResource endpoint performs a security check to ensure only administrators can list user details. However, the /users/id endpoint lacks security...
Theonedev Onedev Security Breach
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. OneDev before version 4.0.3 has a...
Theonedev Onedev Code Issue Vulnerability
Theonedev Onedev is a JAVA-based all-in-one DevOps platform from the Theonedev team. The platform supports container build, orchestration, CI, Git management, team collaboration and other features to help developers build a simple, powerful development platform. A code issue vulnerability exists ...