CVE-2021-21246

Pre-Auth Access token leak

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.

OneDev es una plataforma devops todo en uno. En OneDev versiones anteriores a 4.0.3, el endpoint de REST UserResource lleva a cabo una comprobación de seguridad para asegurarse de que solo los administradores puedan enumerar los detalles del usuario. Sin embargo, para el endpoint "/users/{id}" no son aplicados controles de seguridad, por lo que es posible recuperar detalles arbitrarios del usuario, incluyendo sus tokens de acceso. Estos tokens de acceso pueden ser usados para acceder a la API o al código de clonación en la especificación de compilación por medio del protocolo HTTP(S). Presenta permisos para todos los proyectos accesibles por la cuenta de usuario. Este problema puede conllevar a una "filtración de datos confidenciales" y el token de acceso, que puede ser usada para hacerse pasar por el administrador o cualquier otro usuario. Este problema fue abordado en la versión 4.0.3 al eliminar la información del usuario de la API restful

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-01-15 CVE Published
2023-10-01 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (2)

URL	Tag	Source
https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089	2021-01-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Onedev Project Search vendor "Onedev Project"		Onedev Search vendor "Onedev Project" for product "Onedev"				< 4.0.3 Search vendor "Onedev Project" for product "Onedev" and version " < 4.0.3"		-		Affected