Vulnerabilities > CVE-2021-21242 - Deserialization of Untrusted Data vulnerability in Onedev Project Onedev
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be
- https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be
- https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8
- https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8