CyberSec.Space Logo
Back to CVE Browser

CVE-2021-21244

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0200%
EPSS Percentile27.04th
PublishedJan 15, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.

Affected Platforms (CPE)

πŸ“¦
Onedev Project

Onedev

< 4.0.3

References & Advisories

πŸ”— https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65
πŸ”— https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4
πŸ”— https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65
πŸ”— https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4

Related Vulnerabilities

CVE-2021-2124310.0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deser...

CVE-2021-2124210.0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-a...

CVE-2021-2124510.0

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (...

CVE-2021-212479.6

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listen...