VYPR

OneDev

by OneDev

Source repositories

CVEs (6)

  • CVE-2023-24828HigFeb 8, 2023
    risk 0.00cvss 8.1epss 0.01

    Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to…

  • CVE-2022-39208HigSep 13, 2022
    risk 0.00cvss 7.5epss 0.01

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file…

  • CVE-2022-39207MedSep 13, 2022
    risk 0.00cvss 5.4epss 0.01

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the…

  • CVE-2022-39206CriSep 13, 2022
    risk 0.00cvss 9.9epss 0.02

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to…

  • CVE-2022-39205CriSep 13, 2022
    risk 0.00cvss 9.0epss 0.02

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive…

  • CVE-2021-32651LowJun 1, 2021
    risk 0.00cvss 3.1epss 0.01

    OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP…