CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21247 – Post-Auth Unsafe Deserialization on BasePage (AJAX)
https://notcve.org/view.php?id=CVE-2021-21247
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can access this listener by submitting a POST request to any page. This issue may lead to `post-auth RCE` This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack. • https://github.com/theonedev/onedev/security/advisories/GHSA-6pxf-75cf-vwjp • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21249 – Post-Auth Unsafe Yaml deserialization
https://notcve.org/view.php?id=CVE-2021-21249
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. • https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66 https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21248 – Post-Auth Arbitrary Code execution via Groovy script injection
https://notcve.org/view.php?id=CVE-2021-21248
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. • https://github.com/theonedev/onedev/commit/39d95ab8122c5d9ed18e69dc024870cae08d2d60 https://github.com/theonedev/onedev/security/advisories/GHSA-gwp4-5498-hv5f • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21250 – Post-Auth External Entity Expansion (XXE)
https://notcve.org/view.php?id=CVE-2021-21250
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. • https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21251 – ZipSlip Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2021-21251
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. • https://github.com/theonedev/onedev/security/advisories/GHSA-2w6j-wc8c-9mq2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •