Description
OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf
Patch, Third Party Advisory x_refsource_misc
https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c
Scores
CVSS v3
3.1
EPSS
0.0107
EPSS Percentile
60.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-90
Status
published
Products (1)
onedev_project/onedev
< 4.4.2
Published
Jun 01, 2021
Tracked Since
Feb 18, 2026