Description
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/theonedev/onedev/security/advisories/GHSA-62m2-38q5-96w9
Patch, Third Party Advisory x_refsource_misc
https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb
Scores
CVSS v3
10.0
EPSS
0.0034
EPSS Percentile
57.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Details
CWE
CWE-434
Status
published
Products (1)
onedev_project/onedev
< 4.0.3
Published
Jan 15, 2021
Tracked Since
Feb 18, 2026