Vulnerability Description
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Onedev Project | Onedev | < 4.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3PatchThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4Third Party Advisory
- https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3PatchThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4Third Party Advisory
FAQ
What is CVE-2021-21244?
CVE-2021-21244 is a vulnerability with a CVSS score of 10.0 (CRITICAL). OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full detai...
How severe is CVE-2021-21244?
CVE-2021-21244 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-21244?
Check the references section above for vendor advisories and patch information. Affected products include: Onedev Project Onedev.