CVE-2021-21244

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-21244
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21244.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21244
Related
  • GHSA-vm26-xg39-cfj4
Published
2021-01-15T20:15:12.097Z
Modified
2026-04-11T23:33:56.036472Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.

References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type
GIT
Repo
https://github.com/theonedev/onedev
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4bd71941974a1b077e955616d7ba3da6fd21670c
Fixed
4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.3"
        }
    ]
}

Affected versions

2.*
2.0-beta-build119
2.0-beta-build120
2.0.0
2.0.4
2.0.5
v3.*
v3.0.10
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v4.*
v4.0.0
v4.0.1
v4.0.2

Database specific

vanir_signatures_modified 
"2026-04-11T23:33:56Z"
vanir_signatures 
[
    {
        "deprecated": false,
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/CoreModule.java",
            "function": "get"
        },
        "id": "CVE-2021-21244-00f1dfb7",
        "signature_type": "Function",
        "source": "https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65",
        "signature_version": "v1",
        "digest": {
            "function_hash": "314345820516131289704848469007129524610",
            "length": 105.0
        }
    },
    {
        "deprecated": false,
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/CoreModule.java",
            "function": "configure"
        },
        "id": "CVE-2021-21244-9bf28ea7",
        "signature_type": "Function",
        "source": "https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65",
        "signature_version": "v1",
        "digest": {
            "function_hash": "273615317538706682405484608998595562832",
            "length": 7472.0
        }
    },
    {
        "deprecated": false,
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/CoreModule.java"
        },
        "id": "CVE-2021-21244-b046c707",
        "signature_type": "Line",
        "source": "https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "145208361911632134107315593457353159029",
                "283939253622884751924792024688269929394",
                "47811403021720389437033609848088136124",
                "64441979548177091500874682461307828276",
                "194885136040210411584264671351583632863",
                "217384460011324300131371455490280892268",
                "304249122755757553178080581108472414753",
                "223913018099819470493469984824242314602"
            ],
            "threshold": 0.9
        }
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21244.json"