CVE-2021-21247

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-21247
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21247.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-21247
Related
  • GHSA-6pxf-75cf-vwjp
Published
2021-01-15T21:15:13.583Z
Modified
2026-03-13T22:01:13.605691Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (AbstractPostAjaxBehavior) in all pages other than the login page. This listener decodes and deserializes the data query parameter. We can access this listener by submitting a POST request to any page. This issue may lead to post-auth RCE This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack. This issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server.

References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type
GIT
Repo
https://github.com/theonedev/onedev
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4bd71941974a1b077e955616d7ba3da6fd21670c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.3"
        }
    ]
}

Affected versions

2.*
2.0-beta-build118
2.0-beta-build119
2.0-beta-build120
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
v3.*
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.1.1
v3.1.2
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v4.*
v4.0.0
v4.0.1
v4.0.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21247.json"