VYPR

Onedev

by Theonedev

Source repositories

CVEs (24)

  • CVE-2021-21247CriJan 15, 2021
    risk 0.63cvss 9.6epss 0.01

    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can…

  • CVE-2021-21251HigJan 15, 2021
    risk 0.51cvss 7.7epss 0.12

    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical "zip slip" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a…

  • CVE-2026-44647HigMay 14, 2026
    risk 0.39cvss epss 0.00

    OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that…

  • CVE-2026-11441MedJun 6, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch…

  • CVE-2026-11440MedJun 6, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to…

  • CVE-2026-11439MedJun 6, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be…

  • CVE-2026-11438MedJun 6, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out…

  • CVE-2021-21242CriJan 15, 2021
    risk 0.06cvss 10.0epss 0.74

    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce…

  • CVE-2024-45309Oct 21, 2024
    risk 0.05cvss epss 0.25

    OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.

  • CVE-2021-21246HigJan 15, 2021
    risk 0.04cvss 8.6epss 0.49

    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is…

  • CVE-2021-21243CriJan 15, 2021
    risk 0.04cvss 10.0epss 0.54

    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to…

  • CVE-2026-49248Jun 18, 2026
    risk 0.00cvss epss 0.00

    OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar() creates symbolic links verbatim from TAR entry getLinkName() without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses…

  • CVE-2023-24828HigFeb 8, 2023
    risk 0.00cvss 8.1epss 0.01

    Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to…

  • CVE-2022-38301HigSep 14, 2022
    risk 0.00cvss 8.8epss 0.01

    Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib.

  • CVE-2022-39208HigSep 13, 2022
    risk 0.00cvss 7.5epss 0.01

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file…

  • CVE-2022-39207MedSep 13, 2022
    risk 0.00cvss 5.4epss 0.01

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the…

  • CVE-2022-39206CriSep 13, 2022
    risk 0.00cvss 9.9epss 0.02

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to…

  • CVE-2022-39205CriSep 13, 2022
    risk 0.00cvss 9.0epss 0.02

    Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive…

  • CVE-2021-32651LowJun 1, 2021
    risk 0.00cvss 3.1epss 0.01

    OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP…

  • CVE-2021-21250HigJan 15, 2021
    risk 0.00cvss 7.7epss 0.01

    OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the…

Page 1 of 2