CVE-2021-21244

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-21244

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21244.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-21244

Related

GHSA-vm26-xg39-cfj4

Published

2021-01-15T20:15:12.097Z

Modified

2025-11-14T11:13:44.649732Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.

References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type: GIT
Repo: https://github.com/theonedev/onedev
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65

Affected versions

2.*

2.0-beta-build118

2.0-beta-build119

2.0-beta-build120

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

v3.*

v3.0.10

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "314345820516131289704848469007129524610",
            "length": 105.0
        },
        "target": {
            "function": "get",
            "file": "server-core/src/main/java/io/onedev/server/CoreModule.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65",
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2021-21244-00f1dfb7"
    },
    {
        "digest": {
            "function_hash": "273615317538706682405484608998595562832",
            "length": 7472.0
        },
        "target": {
            "function": "configure",
            "file": "server-core/src/main/java/io/onedev/server/CoreModule.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65",
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2021-21244-9bf28ea7"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "145208361911632134107315593457353159029",
                "283939253622884751924792024688269929394",
                "47811403021720389437033609848088136124",
                "64441979548177091500874682461307828276",
                "194885136040210411584264671351583632863",
                "217384460011324300131371455490280892268",
                "304249122755757553178080581108472414753",
                "223913018099819470493469984824242314602"
            ]
        },
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/CoreModule.java"
        },
        "signature_version": "v1",
        "source": "https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65",
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2021-21244-b046c707"
    }
]