Vulnerability Description
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Onedev Project | Onedev | < 7.3.0 |
Related Weaknesses (CWE)
References
- https://blog.sonarsource.com/onedev-remote-code-execution/ExploitThird Party Advisory
- https://github.com/theonedev/onedev/commit/8aa94e0daf8447cdf76d4f27bfda0a85a7ea5PatchThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2Third Party Advisory
- https://blog.sonarsource.com/onedev-remote-code-execution/ExploitThird Party Advisory
- https://github.com/theonedev/onedev/commit/8aa94e0daf8447cdf76d4f27bfda0a85a7ea5PatchThird Party Advisory
- https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2Third Party Advisory
FAQ
What is CVE-2022-39208?
CVE-2022-39208 is a vulnerability with a CVSS score of 7.5 (HIGH). Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all ...
How severe is CVE-2022-39208?
CVE-2022-39208 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39208?
Check the references section above for vendor advisories and patch information. Affected products include: Onedev Project Onedev.