CVE-2021-21245

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21245
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21245.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21245
Related
  • GHSA-62m2-38q5-96w9
Published
2021-01-15T21:15:13Z
Modified
2025-01-08T10:33:47.276707Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (request.getInputStream()) to a user specified location (request.getHeader("File-Name")). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.

References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type
GIT
Repo
https://github.com/theonedev/onedev
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

2.*

2.0-beta-build118
2.0-beta-build119
2.0-beta-build120
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6

v3.*

v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8

v4.*

v4.0.0