XML External Entity injection in OneDev - CVE-2021-21250

 

XML External Entity injection in OneDev - CVE-2021-21250

Published: January 12, 2021 / Updated: May 5, 2026


Vulnerability identifier: #VU129782
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21250
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OneDev
Affected software:
OneDev

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of XML external entity reference in XmlBuildSpecMigrator.migrate() when processing BuildSpec provided in XML format. A remote user can supply a specially crafted XML BuildSpec to disclose sensitive information.

Exploitation may allow reading arbitrary files from the file system, and file contents may also be exfiltrated out of band.


How to mitigate CVE-2021-21250

Install security update from vendor's website.

Sources