CVE-2021-21242
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-21242
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21242.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-21242
- Related
- Published
- 2021-01-15T21:15:13Z
- Modified
- 2025-10-13T10:23:33.410556Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the
Attachment-Supportheader. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization - References
Affected packages
Git / github.com/theonedev/onedev
Affected ranges
- Type
- GIT
- Repo
- https://github.com/theonedev/onedev
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
2.*
2.0-beta-build118
2.0-beta-build119
2.0-beta-build120
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
v3.*
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v4.*
v4.0.0
Database specific
{
"vanir_signatures": [
{
"target": {
"file": "server-product/src/main/java/io/onedev/server/product/ProductServletConfigurator.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"95625459293646225704374460036311792085",
"273321650894875083722225609492360674247",
"149536289285787303731267568078931440840",
"153129500511295848752433879135494058160",
"280725881616314491843426525321533622769",
"64587437893124324345541872598393811221",
"261954739022427592811629948128489486283",
"88063712212969795176022280017739111091",
"95297895078723082419144244669703545413",
"268439824853052387133004616797889899095",
"313779442606465538915916064064527254332",
"145154703806985278637211269919190537424",
"266604171710259684688025983564039979192",
"50218575993495602755051458702088158154",
"245895669601739186523638829428724289326",
"120883246611349581128873288576490272750",
"151319452066297218069829476394365562585",
"143743956365062115489095094820433744129",
"294334602643461307138168689981109570879",
"263691793919998130918910994220020285177",
"147037953542251971823999906159723690766"
]
},
"deprecated": false,
"id": "CVE-2021-21242-1db244ea",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"file": "server-core/src/main/java/io/onedev/server/web/BaseUrlMapper.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"256751552157367700744711932446284548929",
"107021468624948445515134062653427063912",
"313046391882167934489591927529070307651",
"301362883587848976738407231750262874044",
"186711964868064431750527798547340704217",
"213364005236987498956861439255402181889",
"133374288222721940077044672297674279471",
"30088399020270620000596782144212082372"
]
},
"deprecated": false,
"id": "CVE-2021-21242-1f0571d1",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"file": "server-core/src/main/java/io/onedev/server/CoreModule.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"160863075934594246310087021931678412820",
"215554479813368762459437369309270037769",
"93690401609363424324047197393599282318",
"266300942678303023375527140782135736588",
"23313910523019223781396139937582948474",
"282880891850181747168844388074972579234",
"143579891697229622692577873933162300888",
"80558066068730365613547543164400555750"
]
},
"deprecated": false,
"id": "CVE-2021-21242-38dcc1df",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"function": "doPost",
"file": "server-core/src/main/java/io/onedev/server/web/component/markdown/AttachmentUploadServlet.java"
},
"digest": {
"length": 832.0,
"function_hash": "257240537605160715999981906308107906946"
},
"deprecated": false,
"id": "CVE-2021-21242-3b3392ea",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"function": "configure",
"file": "server-product/src/main/java/io/onedev/server/product/ProductServletConfigurator.java"
},
"digest": {
"length": 1431.0,
"function_hash": "145814162199095249273376703435625445885"
},
"deprecated": false,
"id": "CVE-2021-21242-7f4d41c5",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"function": "configureWeb",
"file": "server-core/src/main/java/io/onedev/server/CoreModule.java"
},
"digest": {
"length": 2019.0,
"function_hash": "273394235866300875759086043603048284626"
},
"deprecated": false,
"id": "CVE-2021-21242-809a68de",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"function": "onInitialize",
"file": "server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"
},
"digest": {
"length": 12115.0,
"function_hash": "216139087569135330052738645608257158952"
},
"deprecated": false,
"id": "CVE-2021-21242-a2b9ad0f",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"file": "server-core/src/main/java/io/onedev/server/web/component/markdown/AttachmentUploadServlet.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"49541360837135790768534429726819087815",
"200537108741485271589568239126053926668",
"298355413294292382908846474181325170119",
"220699393177793245247100746068781675834",
"263505494837759318786661074108245226635",
"184121449870472071110530236464458845489",
"146291267804270856671916501344545440391",
"190887707810537948889131017229742134124",
"172196801818168756934215575011504024641",
"181010034319868991546119048082404778923",
"15104623613278015291099214083031339760",
"300942660232706504341397541571822591571",
"62764929970628014130494237343260208142",
"248580319244561220510607982272952252191",
"4180699673896947683939402850756221893",
"192903287207220378682861108203704877589",
"181812845064876615835486401508424392495",
"220143657503280630072624832485729031129",
"173699602687711222650091894960670826391",
"19186686223637199484015368435505167049",
"59237820954101049474697742183353555554",
"273845990207441843924559320195135462666",
"276083647709220164914377635139195677787",
"225583806824882289975660488592505389071",
"332423324066484944544728137604262895390",
"22626892541990244970600326514951091853",
"133351968693713748993518272953693199347",
"204709142282643463347360168177251607417",
"161505473530299524092327454807949620394",
"186353252857152253058669863182764854495",
"211230656414176033170855658196465620994",
"131300167355145676373397457845292816075",
"193110972337424188786230107628476454632",
"165472949058193466828942900374860079292",
"22589627147199411100799747245638376761",
"323537696931700007553900547699016785667",
"103842422699942942431319928769728158501"
]
},
"deprecated": false,
"id": "CVE-2021-21242-be215a68",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"file": "server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"193827472473032349198916656616655988824",
"110349372901302503574408531241892097147",
"138343701779473806246517290565947726571",
"197260742834329359023693104316043107739",
"22551303965829082225179019240437640226",
"53153208773575113136524990447551821219",
"94665950748832079942127722450233004909",
"2520424659927787290652155525758641401",
"333242589073971635081353143976125015658",
"288773476244647545615827369536433233752",
"230484901352906823788139158837819406291",
"258630986431767073760140032479979438113",
"177496589037573182233146071964127141937",
"305926237917411974696773980567539787836",
"138533079535466457146270599617045327650",
"53266737264123240053475402772431482222",
"193174029157670538197664411039605041477",
"272950831747015756712582686979269538904",
"258773968772888376517918731296907617653",
"304015283333166495126655560300168419197",
"192372346614806192288486624778438345278",
"324301206150450347086368377275580794926",
"118277810330955228889193097844080344107",
"162197593692702360561368360085690666648",
"119155884465000972756269884865521773740",
"42051831734650327575302334695001357789",
"173861095529503293664661659985526150772",
"228202928922227531070100350900261771550",
"198482323340266083505124177305608046860",
"124062425854225632628081329662207605213",
"79857656579781679713873665099933085318",
"296685852313678411056972883291578897176",
"207510203917269129827776452081666488505",
"160964247068918040365226535556390340960",
"115599432104285824816673223251818123475",
"259691645451762211705118438902004577598",
"42198086015974555726797493426838165726",
"241808798852260072992872558212401649364",
"54045425023987604997772399630880574864",
"239582486391285077412710964813963476384",
"79923543039576080629388533534544156358",
"256552646668785559945996032112332460718",
"299196632734724631062938307224651275122",
"92457311509591101642247399740798547771",
"331771983089586118306666504918224822489",
"247775732407738421163310593625610379571",
"51785888503635678139702363863749067935",
"96938856483481073308701159051582907072",
"267898011051402378109401679103677025330",
"268104134655794463037991695149656163618",
"122951409984269102911945017415712293150",
"292772861779218544380703778568064764414",
"261729032346019768392433323962977067299",
"268099233654848844790346913685873781333"
]
},
"deprecated": false,
"id": "CVE-2021-21242-d3c62876",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"function": "ProductServletConfigurator",
"file": "server-product/src/main/java/io/onedev/server/product/ProductServletConfigurator.java"
},
"digest": {
"length": 347.0,
"function_hash": "324458603091809535304543306867188567060"
},
"deprecated": false,
"id": "CVE-2021-21242-d59f843b",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
},
{
"target": {
"function": "renderHead",
"file": "server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"
},
"digest": {
"length": 1246.0,
"function_hash": "140934940039939154972924027995913260789"
},
"deprecated": false,
"id": "CVE-2021-21242-de08b69d",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"
}
]
}