CVE-2024-45309

HIGH EXPLOITED NUCLEI

OneDev Unauthenticated Arbitrary File Read

Title source: metasploit

Exploitation Summary

CVE-2024-45309 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including vultza, Siebene, including a Metasploit module auxiliary/gather/onedev_arbitrary_file_read. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2024-45309, an unauthenticated arbitrary file read vulnerability in OneDev <= 11.0.8. It uses path traversal to read files from the server, with optional brute-forcing of project names if anonymous access is disabled.

Description

OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.

Exploits (1)

metasploit WORKING POC

by vultza, Siebene · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/onedev_arbitrary_file_read.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2024-45309, an unauthenticated arbitrary file read vulnerability in OneDev <= 11.0.8. It uses path traversal to read files from the server, with optional brute-forcing of project names if anonymous access is disabled.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OneDev <= 11.0.8

No auth needed

Prerequisites: Valid project name or wordlist for brute-forcing · Network access to the target

MITRE ATT&CK

T1006 - Direct Volume Access T1119 - Automated Collection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

OneDev.io < 11.0.9 - Arbitrary File Read

HIGHVERIFIEDby isacaya

Shodan: html:"onedev.io"

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489

Patch x_refsource_misc

https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.8897

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

VulnCheck KEV 2026-05-16

CWE

CWE-22 CWE-200

Status published

Products (1)

onedev_project/onedev < 11.0.9

Published Oct 21, 2024

Tracked Since Feb 18, 2026