Post-Auth External Entity Expansion (XXE)
CVE-2021-21250

7.7HIGH

Key Information:

Vendor: Theonedev
Status: Onedev
Vendor: CVE Published:; 15 January 2021

What is CVE-2021-21250?

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

Affected Version(s)

onedev < 4.0.3

References

https://github.com/theonedev/onedev/security/advisories/G...

x_refsource_CONFIRM

https://github.com/theonedev/onedev/commit/9196fd795e87da...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 15, 2021
Vulnerability Reserved
Dec 22, 2020

CVE-2021-21250 Data

JSON

Theonedev

What is CVE-2021-21250?

Affected Version(s)

References

CVSS V3.1

Timeline