Vulnerability: CVE-2021-21242

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization


https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8
https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8
https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be
https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21242


It's possible to leave a comment as registered users to the site, accessing through social, wordpress account or as anonymous users. If you want to leave a comment as an anonymous user you will be notified by email of a possible response only if you enter the email address (optional). The insertion of any data in the comment fields is totally optional. Whoever decides to insert any data accepts the treatment of these last ones for the inherent purposes of the service that is the answer to the comment and the strictly necessary communications.


Leave a Reply