CVE-2021-21243

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-21243

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21243.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-21243

Related

GHSA-9mmq-fm8c-q4fv

Published

2021-01-15T20:15:12Z

Modified

2025-10-15T12:25:46.666549Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side.

References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type: GIT
Repo: https://github.com/theonedev/onedev
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9637fc8fa461c5777282a0021c3deb1e7a48f137

Affected versions

2.*

2.0-beta-build118

2.0-beta-build119

2.0-beta-build120

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

v3.*

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v4.*

v4.0.0

Database specific

vanir_signatures

[
    {
        "id": "CVE-2021-21243-16df3157",
        "signature_type": "Line",
        "signature_version": "v1",
        "target": {
            "file": "server-plugin/server-plugin-executor-kubernetes/src/main/java/io/onedev/server/plugin/executor/kubernetes/KubernetesResource.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "241454116038766963430399161680906626431",
                "314078502555222656048002491499314065447",
                "40205319995427603190709270624024070574",
                "103269922319081159541126851300724336221",
                "308746997139273429644895203850654001320",
                "82980383454921326312502973375320860148",
                "279812629151204785480795232544870453316",
                "48064842004355720352478089605854366322",
                "311483091014706123822284141616608622932",
                "173348912717021511060871154422690468953",
                "275493352357561029974325797243848537326",
                "302470007147461142398940759074613931230",
                "192238907635528387881542363259005011425",
                "288952928836919555511179897369512123767",
                "53959606744092215736799662230628302923",
                "38678850932765106276765647546665725062",
                "79175348790058419220576292605559825385",
                "253355559665806764515667701437984541918",
                "182184692367158962550903202911949520832"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137"
    },
    {
        "id": "CVE-2021-21243-b59f44a9",
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "server-plugin/server-plugin-executor-kubernetes/src/main/java/io/onedev/server/plugin/executor/kubernetes/KubernetesResource.java",
            "function": "allocateJobCaches"
        },
        "deprecated": false,
        "digest": {
            "length": 232.0,
            "function_hash": "22853115447328283823120854265367485492"
        },
        "source": "https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137"
    },
    {
        "id": "CVE-2021-21243-b8081a36",
        "signature_type": "Function",
        "signature_version": "v1",
        "target": {
            "file": "server-plugin/server-plugin-executor-kubernetes/src/main/java/io/onedev/server/plugin/executor/kubernetes/KubernetesResource.java",
            "function": "reportJobCaches"
        },
        "deprecated": false,
        "digest": {
            "length": 180.0,
            "function_hash": "153306830354783593288757321419261073604"
        },
        "source": "https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137"
    }
]