Vulnerabilities > CVE-2021-21243 - Deserialization of Untrusted Data vulnerability in Onedev Project Onedev
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137
- https://github.com/theonedev/onedev/commit/9637fc8fa461c5777282a0021c3deb1e7a48f137
- https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv
- https://github.com/theonedev/onedev/security/advisories/GHSA-9mmq-fm8c-q4fv