Onedev
CVE-2021-21246
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the /users/{id} endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to Sensitive data leak and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.
AnalysisAI
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
Technical ContextAI
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the /users/{id} endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to Sensitive data leak and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api. Affected products include: Onedev Project Onedev. Version information: version 4.0.3.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today