CVE-2022-38301

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-38301

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-38301.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-38301

Published

2022-09-14T21:15:10.483Z

Modified

2025-11-20T12:09:23.180551Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib.

References

Affected packages

Git / github.com/theonedev/onedev

Affected ranges

Type: GIT
Repo: https://github.com/theonedev/onedev
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea

Affected versions

2.*

2.0-beta-build118

2.0-beta-build119

2.0-beta-build120

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

v3.*

v3.0.10

v3.0.11

v3.0.12

v3.0.13

v3.0.14

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.10.3

v4.11.0

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.5.0

v4.6.0

v4.6.1

v4.7.0

v4.8.0

v4.8.1

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v5.*

v5.0.0

v5.0.1

v5.1.0

v5.2.0

v5.2.1

v5.2.2

v5.3.0

v5.3.1

v5.3.3

v5.4.0

v6.*

v6.0.0

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.3.0

v6.3.1

v6.3.10

v6.3.11

v6.3.12

v6.3.13

v6.3.14

v6.3.15

v6.3.16

v6.3.17

v6.3.18

v6.3.19

v6.3.2

v6.3.20

v6.3.21

v6.3.22

v6.3.23

v6.3.24

v6.3.25

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.5

v7.2.7

v7.2.8

v7.2.9

v7.3.0

v7.3.10

v7.3.11

v7.3.12

v7.3.13

v7.3.14

v7.3.15

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.6

v7.3.7

v7.3.8

v7.3.9

v7.4.0

v7.4.1

v7.4.10

v7.4.11

v7.4.12

v7.4.13

v7.4.14

v7.4.2

v7.4.3

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "source": "https://github.com/theonedev/onedev/commit/5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea",
        "id": "CVE-2022-38301-3d5bd7b4",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "4036227750556757366120761807082145549",
                "305698129507790020253344111724872772412",
                "34509763288776831075644514587202674008",
                "155119148364517084043872745809425524862",
                "50924947957388579806394684274965678037",
                "51518771575055314723665270157897244644",
                "59819419787753412295939807534496680186",
                "36096575643980803387583992595361157911",
                "77093601192921479529764579062607497478",
                "103037741055751942162271770260622109027",
                "303602790597743434251549607990827997878",
                "27567720287210393804991368456743407285",
                "94017763287492234399474616791964158241",
                "63722236757304590260948337195796145966",
                "338832180393674099017637947821386179296",
                "301842965136991249789440145145354697581",
                "284760896566476776962003675892705114810",
                "235851899330256412458003421246585414762",
                "220884027888050459794073188008898298494",
                "158962672578729372529708767969367409584",
                "300295138110062516553005415241176174620",
                "289340667318224645059193734497748045190",
                "239521654543551591401606617941544314959",
                "334894816632291200140279345832675423719"
            ]
        },
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/web/page/project/builds/detail/artifacts/ArtifactUploadPanel.java"
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/theonedev/onedev/commit/5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea",
        "id": "CVE-2022-38301-3eeb628b",
        "digest": {
            "function_hash": "331617100111680005749968197275252836865",
            "length": 781.0
        },
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/web/page/project/builds/detail/artifacts/ArtifactUploadPanel.java",
            "function": "onSubmit"
        },
        "deprecated": false,
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/theonedev/onedev/commit/5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea",
        "id": "CVE-2022-38301-be8d8582",
        "digest": {
            "function_hash": "93218656044981128505280301158802397492",
            "length": 1980.0
        },
        "target": {
            "file": "server-core/src/main/java/io/onedev/server/web/page/project/builds/detail/artifacts/ArtifactUploadPanel.java",
            "function": "onInitialize"
        },
        "deprecated": false,
        "signature_version": "v1"
    }
]