CVE-2021-21243

Published: Jan 15, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side.

Affected (1)

Products: Onedev Project: Onedev

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Onedev Project Onedev	Before 4.0.3

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (4)

https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv

Source: security-advisories@github.com

Third Party Advisory

https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.