CVE-2021-21244

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.
Configurations

Configuration 1 (hide)

cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*

History

19 Oct 2022, 13:11

Type Values Removed Values Added
CWE CWE-74 CWE-94

Information

Published : 2021-01-15 20:15

Updated : 2024-02-04 21:23


NVD link : CVE-2021-21244

Mitre link : CVE-2021-21244

CVE.ORG link : CVE-2021-21244


JSON object : View

Products Affected

onedev_project

  • onedev
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')