CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2021-21243 – Pre-Auth Unsafe Deserialization on KubernetesResource
https://notcve.org/view.php?id=CVE-2021-21243
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side. • https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137 https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21244 – Pre-Auth SSTI via Bean validation message tampering
https://notcve.org/view.php?id=CVE-2021-21244
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely. OneDev es una plataforma devops todo en uno. • https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65 https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •