SB2022091391 - Multiple vulnerabilities in OneDev

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022091391

SB2022091391 - Multiple vulnerabilities in OneDev

Published: September 13, 2022 Updated: May 5, 2026

Security Bulletin ID SB2022091391
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 50% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2022-39208)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the /opt/onedev/sites/ directory when handling requests for site files. A remote attacker can read exposed project files and repository data to disclose sensitive information.

Project IDs are incremental, which can facilitate enumeration of project data.


2) Cross-site scripting (CVE-ID: CVE-2022-39207)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to cross-site scripting in build artifact handling in the web UI when serving attacker-controlled HTML artifact files. A remote user can upload or modify a crafted artifact and trick the victim into opening a link to execute arbitrary code.

Exploitation requires the ability to modify artifact content, typically by modifying a project's build spec, and user interaction is required to open the crafted link.


3) Improper access control (CVE-ID: CVE-2022-39206)

The vulnerability allows a remote user to gain root privileges on the host system.

The vulnerability exists due to improper access control in Docker-based job executors when mounting the Docker socket into Docker steps. A remote user can define and trigger a CI/CD job that controls the host Docker daemon to gain root privileges on the host system.

Exploitation requires permission to create a project and the ability to define and trigger CI/CD jobs.


4) Improper access control (CVE-ID: CVE-2022-39205)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper access control in /git-prereceive-callback endpoint when handling crafted requests that spoof localhost access via the X-Forwarded-For header. A remote attacker can send a specially crafted request with query parameters controlling command environment variables to execute arbitrary code.

Exploitation requires that the instance is not protected by a properly configured reverse proxy.


Remediation

Install update from vendor's website.

References