CVE-2021-21250

HIGH

OneDev <4.0.3 - Info Disclosure

Title source: llm

Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

References (2)

[Third Party Advisory] https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2r

[Patch, Third Party Advisory] https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770f

View Patch ZIP pw:eip

Scores

CVSS v3 7.7

EPSS 0.0029

EPSS Percentile 52.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-538

Status published

Products (1)

onedev_project/onedev < 4.0.3

Published Jan 15, 2021

Tracked Since Feb 18, 2026