CVE-2024-45309

HIGH NUCLEI

OneDev Unauthenticated Arbitrary File Read

Title source: metasploit

Description

OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.

Exploits (1)

metasploit WORKING POC

by vultza, Siebene · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/onedev_arbitrary_file_read.rb

View Code ZIP pw:eip

Nuclei Templates (1)

OneDev.io < 11.0.9 - Arbitrary File Read

HIGHVERIFIEDby isacaya

Shodan: html:"onedev.io"

References (2)

[Patch] https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f

[Third Party Advisory] https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489

Scores

CVSS v3 7.5

EPSS 0.8897

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22 CWE-200

Status published

Products (1)

onedev_project/onedev < 11.0.9

Published Oct 21, 2024

Tracked Since Feb 18, 2026