CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21249 – Post-Auth Unsafe Yaml deserialization
https://notcve.org/view.php?id=CVE-2021-21249
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. • https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66 https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21248 – Post-Auth Arbitrary Code execution via Groovy script injection
https://notcve.org/view.php?id=CVE-2021-21248
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. • https://github.com/theonedev/onedev/commit/39d95ab8122c5d9ed18e69dc024870cae08d2d60 https://github.com/theonedev/onedev/security/advisories/GHSA-gwp4-5498-hv5f • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21250 – Post-Auth External Entity Expansion (XXE)
https://notcve.org/view.php?id=CVE-2021-21250
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. • https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21251 – ZipSlip Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2021-21251
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. • https://github.com/theonedev/onedev/security/advisories/GHSA-2w6j-wc8c-9mq2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 63%CPEs: 1EXPL: 0CVE-2021-21242 – Pre-Auth Unsafe Deserialization on AttachmentUploadServet
https://notcve.org/view.php?id=CVE-2021-21242
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. • https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •