CVE-2021-21250 Information

Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file it will be possible for an attacker to read them. If not it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5