CVE-2021-32651

LOW

OneDev <4.4.1 - Blind LDAP Injection

Title source: llm

Description

OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.

References (2)

[Exploit, Third Party Advisory] https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf

[Patch, Third Party Advisory] https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c

View Patch ZIP pw:eip

Scores

CVSS v3 3.1

EPSS 0.0025

EPSS Percentile 47.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-90

Status published

Products (1)

onedev_project/onedev < 4.4.2

Published Jun 01, 2021

Tracked Since Feb 18, 2026