CVE - CVE-2021-21248

CVE-ID
CVE-2021-21248	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/theonedev/onedev/security/advisories/GHSA-gwp4-5498-hv5f URL:https://github.com/theonedev/onedev/security/advisories/GHSA-gwp4-5498-hv5f MISC:https://github.com/theonedev/onedev/commit/39d95ab8122c5d9ed18e69dc024870cae08d2d60 URL:https://github.com/theonedev/onedev/commit/39d95ab8122c5d9ed18e69dc024870cae08d2d60
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20201222	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20201222)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)