Skip to main content

Onedev CVE-2022-39208

HIGH
Files or Directories Accessible to External Parties (CWE-552)
2022-09-13 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 13, 2022 - 19:15 nvd
HIGH 7.5

DescriptionNVD

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.

AnalysisAI

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-552. Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue. Affected products include: Onedev Project Onedev. Version information: version 7.3.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2023-24828 HIGH
8.8 Feb 08

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely

CVE-2021-21251 HIGH
8.8 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2022-39208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy