Skip to main content

Onedev CVE-2023-24828

HIGH
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2023-02-08 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 08, 2023 - 00:15 nvd
HIGH 8.8

DescriptionNVD

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-338. Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Onedev Project Onedev. Version information: prior to 7.9.12.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Onedev

View all
CVE-2022-39206 CRITICAL POC
9.9 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnera

CVE-2022-39205 CRITICAL POC
9.8 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnera

CVE-2022-38301 HIGH POC
8.8 Sep 14

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories

CVE-2024-45309 HIGH POC
8.7 Oct 21

OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely

CVE-2022-39208 HIGH POC
7.5 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerabili

CVE-2021-21246 HIGH POC
7.5 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2021-21245 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21242 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21244 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2021-21243 CRITICAL
9.8 Jan 15

OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-39207 MEDIUM POC
5.4 Sep 13

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerabi

CVE-2021-21251 HIGH
8.8 Jan 15

OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2023-24828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy