Critical severity10.0NVD Advisory· Published Jan 15, 2021· Updated Jun 17, 2026
CVE-2021-21245
CVE-2021-21245
Description
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (request.getInputStream()) to a user specified location (request.getHeader("File-Name")). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacbnvdPatchThird Party Advisory
- github.com/theonedev/onedev/security/advisories/GHSA-62m2-38q5-96w9nvdThird Party Advisory
News mentions
0No linked articles in our index yet.