Vulnerability Description
OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Onedev Project | Onedev | < 4.4.2 |
Related Weaknesses (CWE)
References
- https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8adPatchThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjfExploitThird Party Advisory
- https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8adPatchThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjfExploitThird Party Advisory
FAQ
What is CVE-2021-32651?
CVE-2021-32651 is a vulnerability with a CVSS score of 3.1 (LOW). OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged...
How severe is CVE-2021-32651?
CVE-2021-32651 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32651?
Check the references section above for vendor advisories and patch information. Affected products include: Onedev Project Onedev.