Main Vulnerability Database Vulnerabilities #VU129782

XML External Entity injection in OneDev - CVE-2021-21250

Published: January 12, 2021 / Updated: May 5, 2026

Vulnerability identifier: #VU129782

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-21250

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OneDev

Software vendor:
OneDev

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of XML external entity reference in XmlBuildSpecMigrator.migrate() when processing BuildSpec provided in XML format. A remote user can supply a specially crafted XML BuildSpec to disclose sensitive information.

Exploitation may allow reading arbitrary files from the file system, and file contents may also be exfiltrated out of band.

Remediation

Install security update from vendor's website.

External links

https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r

XML External Entity injection in OneDev - CVE-2021-21250

Description

Remediation

External links

Please verify you're human