Onedev
Monthly
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.
Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.
{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.
Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.
Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OneDev is a development operations platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OneDev is an all-in-one devops platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Arbitrary file write in OneDev 15.0.6 and earlier allows any authenticated user with CI Job write access to overwrite files anywhere on the server filesystem by uploading a crafted TAR archive whose symbolic link entries point to absolute paths outside the extraction directory. The flaw is an incomplete-fix bypass of CVE-2021-21251, which only blocked `..` path traversal in TAR entry names but never validated symlink targets. No public exploit has been identified at time of analysis, but the official patch commit and GitHub Security Advisory GHSA-55g8-94r5-cj37 publicly describe the bypass mechanism.
Improper authorization in OneDev's Pull Request Handler allows authenticated remote attackers to bypass issue access controls. The `canAccessIssue` function in the `/issues/` endpoint of theonedev/onedev versions through 15.0.5 fails to correctly enforce authorization, enabling a low-privileged user to access issues they should not be permitted to view or modify. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in version 15.0.6.
{projectId}/default-branch` endpoint. All OneDev versions through 15.0.5 are affected; the CVSS vector (PR:L) confirms a low-privilege authenticated user is sufficient to trigger the flaw remotely with no user interaction required. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; vendor-released patch v15.0.6 is available.
Improper authorization in theonedev OneDev versions up to 15.0.5 allows authenticated low-privileged users to manipulate the `project.parentId` parameter in the `/projects/` Parent Project Handler endpoint, bypassing access controls on project hierarchy operations. The CVSS vector (PR:L/AV:N/AC:L) confirms this is a network-exploitable flaw requiring only a low-privilege account with no user interaction. Although the base impact scores are uniformly low (C:L/I:L/A:L), in a self-hosted DevOps platform context - where projects may contain source code, CI/CD pipelines, and secrets - the real-world risk to sensitive deployments exceeds what the 6.3 CVSS score alone conveys. No public exploit or CISA KEV listing exists at time of analysis; an official patch is available as v15.0.6.
Improper authorization in theonedev OneDev up to version 15.0.5 allows authenticated remote attackers to bypass access controls by manipulating the `project.forkedFromId` argument in requests to the `/projects` endpoint. The flaw, classified under CWE-285, enables low-privileged users to perform actions or access project data beyond their authorization scope. No public exploit code has been identified at time of analysis, and a vendor-released patch (v15.0.6) is available.
OneDev is a Git server with CI/CD, kanban, and packages. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Onedev is a self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OneDev is a development operations platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OneDev is an all-in-one devops platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OneDev is an all-in-one devops platform. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
OneDev is an all-in-one devops platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.