SB2021011292 - Multiple vulnerabilities in OneDev
Published: January 12, 2021 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2021-21251)
The vulnerability allows a remote user to overwrite arbitrary files.
The vulnerability exists due to path traversal in TarUtils untar processing within the KubernetesResource upload-outcomes REST endpoint when extracting user-controlled tar archive data from the request body. A remote user can send a specially crafted tar archive to overwrite arbitrary files.
Exploitation requires a valid JobToken.
2) XML External Entity injection (CVE-ID: CVE-2021-21250)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper restriction of XML external entity reference in XmlBuildSpecMigrator.migrate() when processing BuildSpec provided in XML format. A remote user can supply a specially crafted XML BuildSpec to disclose sensitive information.
Exploitation may allow reading arbitrary files from the file system, and file contents may also be exfiltrated out of band.
3) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21249)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unsafe deserialization in the BuildSpec YAML parser when processing a crafted YAML BuildSpec file. A remote user can supply a specially crafted YAML payload to execute arbitrary code.
The issue is post-authentication.
4) Code Injection (CVE-ID: CVE-2021-21248)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to code injection in InputSpec when processing user-controlled build parameters. A remote user can inject arbitrary Groovy code to execute arbitrary code.
Exploitation requires the ability to control job parameters in a build specification.
5) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21247)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to unsafe deserialization in BasePage AJAX event listener (AbstractPostAjaxBehavior) when processing a POST request containing a serialized data parameter. A remote user can send a specially crafted POST request with a malicious serialized payload to execute arbitrary code.
The vulnerable listener is registered on all pages other than the login page, and exploitation requires a valid authenticated session.
6) Improper access control (CVE-ID: CVE-2021-21246)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the UserResource /users/{id} endpoint when handling crafted REST API requests. A remote attacker can send a specially crafted request to disclose sensitive information.
Exposed user details include access tokens, which may allow impersonation of the affected user and access to projects available to that account.
7) Improper access control (CVE-ID: CVE-2021-21245)
The vulnerability allows a remote attacker to upload arbitrary files.
The vulnerability exists due to improper access control in AttachmentUploadServlet when handling file upload requests. A remote attacker can send a crafted upload request with a user-controlled File-Name header to upload arbitrary files.
This file system operation occurs before authentication or authorization checks are enforced.
8) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2021-21244)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to server-side template injection in ValidQueryParamsValidator when handling unexpected query parameters in REST requests. A remote attacker can send a specially crafted query parameter to execute arbitrary code.
The issue is triggered before authentication or authorization checks are enforced.
9) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21243)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to unsafe deserialization in KubernetesResource REST endpoints when processing untrusted serialized data from the request body. A remote attacker can send a specially crafted serialized payload to execute arbitrary code.
The issue affects the /allocate-job-caches and /report-job-caches endpoints, and no authentication or authorization checks are enforced.
10) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21242)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to unsafe deserialization in AttachmentUploadServlet when handling a POST request with a crafted Attachment-Support header. A remote attacker can send a specially crafted request to execute arbitrary code.
The servlet does not enforce authentication or authorization checks.
Remediation
Install update from vendor's website.
References
- https://github.com/theonedev/onedev/security/advisories/GHSA-2w6j-wc8c-9mq2
- https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r
- https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm
- https://github.com/theonedev/onedev/security/advisories/GHSA-gwp4-5498-hv5f
- https://github.com/theonedev/onedev/security/advisories/GHSA-6pxf-75cf-vwjp
- https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx
- https://github.com/theonedev/onedev/security/advisories/GHSA-62m2-38q5-96w9
- https://github.com/theonedev/onedev/blob/main/server-core/src/main/java/io/onedev/server/web/component/markdown/AttachmentUploadServlet.java
- https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4
- https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65
- https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv
- https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8