Page 4 of 18 results (0.005 seconds)

CVSS: 10.0EPSS: 63%CPEs: 1EXPL: 0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. • https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side. • https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137 https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely. OneDev es una plataforma devops todo en uno. • https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65 https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •