CVE-2021-21249
Post-Auth Unsafe Yaml deserialization
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized
OneDev es una plataforma devops todo en uno. En OneDev versiones anteriores a 4.0.3, Se presenta un problema relacionado con el análisis de YAML que puede conllevar a una ejecución de código remota posterior a la autenticación. Para analizar y procesar archivos YAML, OneDev usa SnakeYaml que por defecto (cuando no usa "SafeConstructor") permite la instanciación de clases arbitrarias. Podemos aprovechar eso para ejecutar código arbitrario creando instancias de clases como "javax.script.ScriptEngineManager" y usando "URLClassLoader" para cargar el proveedor del motor de script, resultando en la instanciación de una clase controlada por el usuario. Para obtener un ejemplo completo, consulte la GHSA referenciada. Este problema fue abordado en la versión 4.0.3, al permitir que determinadas clases conocidas sean deserializadas
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-22 CVE Reserved
- 2021-01-15 CVE Published
- 2024-08-03 CVE Updated
- 2024-10-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66 | 2022-04-26 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Onedev Project Search vendor "Onedev Project" | Onedev Search vendor "Onedev Project" for product "Onedev" | < 4.0.3 Search vendor "Onedev Project" for product "Onedev" and version " < 4.0.3" | - |
Affected
| ||||||