CVE-2023-24828

HIGH

Onedev <7.9.12 - Privilege Escalation

Title source: llm

Description

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

[Third Party Advisory] https://github.com/theonedev/onedev/security/advisories/GHSA-jf5c-9r77-3j5j

[Patch, Third Party Advisory] https://github.com/theonedev/onedev/commit/d67dd9686897fe5e4ab881d749464aa7c06a68e5

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0030

EPSS Percentile 53.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-338

Status published

Products (1)

onedev_project/onedev < 7.9.12

Published Feb 08, 2023

Tracked Since Feb 18, 2026