Vulnerability Description
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can access this listener by submitting a POST request to any page. This issue may lead to `post-auth RCE` This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack. This issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Onedev Project | Onedev | < 4.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/theonedev/onedev/security/advisories/GHSA-6pxf-75cf-vwjpThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-6pxf-75cf-vwjpThird Party Advisory
FAQ
What is CVE-2021-21247?
CVE-2021-21247 is a vulnerability with a CVSS score of 9.6 (CRITICAL). OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page...
How severe is CVE-2021-21247?
CVE-2021-21247 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-21247?
Check the references section above for vendor advisories and patch information. Affected products include: Onedev Project Onedev.