CVE-2021-21251

ZipSlip Arbitrary File Upload

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. During the untar process, there are no checks in place to prevent an untarred file from traversing the file system and overriding an existing file. For a successful exploitation, the attacker requires a valid __JobToken__ which may not be possible to get without using any of the other reported vulnerabilities. But this should be considered a vulnerability in `io.onedev.commons.utils.TarUtils` since it lives in a different artifact and can affect other projects using it. This issue was addressed in 4.0.3 by validating paths in tar archive to only allow them to be in specified folder when extracted.

OneDev es una plataforma devops todo en uno. En OneDev versiones anteriores a 4.0.3, se presenta una vulnerabilidad crítica de "zip slip". Este problema puede conllevar a una escritura de archivo arbitraria. El endpoint REST KubernetesResource deshace los datos controlados por el usuario desde el cuerpo de la petición usando TarUtils. TarUtils es un método de biblioteca personalizado que aprovecha Apache Commons Compress. Durante el proceso untar, no existen comprobaciones para impedir que un archivo sin clasificar atraviese el sistema de archivos y anular un archivo existente. Para una explotación con éxito, el atacante requiere un __JobToken__ válido que puede que no sea posible obtener sin usar ninguna de las otras vulnerabilidades reportadas. Pero esto debería considerarse una vulnerabilidad en "io.onedev.commons.utils.TarUtils" ya que vive en un artefacto diferente y puede afectar a otros proyectos que lo usen. Este problema es corregido en la versión 4.0

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-01-15 CVE Published
2023-07-14 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (1)

URL	Tag	Source
https://github.com/theonedev/onedev/security/advisories/GHSA-2w6j-wc8c-9mq2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Onedev Project Search vendor "Onedev Project"		Onedev Search vendor "Onedev Project" for product "Onedev"				< 4.0.3 Search vendor "Onedev Project" for product "Onedev" and version " < 4.0.3"		-		Affected