CVE-2021-21250

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

CVSS v3 7.7 HIGH
CVSS v2.0 4.0 MEDIUM

7.7^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f	Patch Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r	Third Party Advisory
https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f	Patch Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:47

Type	Values Removed	Values Added
CVSS	v2 : ~~4.0~~ v3 : ~~6.5~~	v2 : 4.0 v3 : 7.7
References	~~() https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f - Patch, Third Party Advisory~~	() https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f - Patch, Third Party Advisory
References	~~() https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r - Third Party Advisory~~	() https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r - Third Party Advisory

Information

Published : 2021-01-15 21:15

Updated : 2024-11-21 05:47

NVD link : CVE-2021-21250

Mitre link : CVE-2021-21250

CVE.ORG link : CVE-2021-21250

JSON object : View

Products Affected

onedev_project

onedev

CWE

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

{"id": "CVE-2021-21250", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-01-15T21:15:13.803", "references": [{"url": "https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-538"}]}], "descriptions": [{"lang": "en", "value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file."}, {"lang": "es", "value": "OneDev es una plataforma devops todo en uno. En OneDev versiones anteriores a 4.0.3, Se presenta una vulnerabilidad cr\u00edtica que puede conllevar a una lectura arbitraria de archivos. Cuando BuildSpec se proporciona en formato XML, XmlBuildSpecMigrator.migrate (buildSpecString) procesa la especificaci\u00f3n; que procesa el documento XML sin evitar la expansi\u00f3n de entidades externas. Estas entidades se pueden configurar para leer archivos arbitrarios del sistema de archivos y volcar su contenido en el documento XML final que se migrar\u00e1. Si los archivos se vuelcan en propiedades incluidas en el archivo YAML, un atacante podr\u00e1 leerlos. Si no es as\u00ed, es posible a un atacante exfiltre el contenido de estos archivos Fuera de la Banda. Este problema es corregido en versi\u00f3n 4.0.3 ignorando las instrucciones de ENTITY en el archivo xml"}], "lastModified": "2024-11-21T05:47:51.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5287F01C-3A77-4491-AB49-401A50FAA6E9", "versionEndExcluding": "4.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

7.7 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-21250

7.7^/10

4.0^/10

Attach tags to `CVE-2021-21250`