admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-05-07 19:17:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

"-Synchronized-Data."

Browse Source
This commit is contained in:
CVE Team 2021-01-15 21:01:57 +00:00
parent 0da6c0f504
commit 8aca52d145
No known key found for this signature in database
GPG Key ID: 5708902F06FEF743
14 changed files with 104 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2021/21xxx/CVE-2021-21242.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution.\n\nAttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution.\n\nThis issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization"
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization"
}
]
},

2
2021/21xxx/CVE-2021-21243.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks.\n\nThis issue may lead to pre-auth RCE.\n\nThis issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE. This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side."
}
]
},

2
2021/21xxx/CVE-2021-21244.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA.\n\n\nThis issue was fixed in 4.0.3 by disabling validation interpolation completely.\n\n\n"
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely."
}
]
},

2
2021/21xxx/CVE-2021-21245.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader(\"File-Name\")`).\n\nThis issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server.\n\nThis issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader(\"File-Name\")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder."
}
]
},

2
2021/21xxx/CVE-2021-21246.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens!\n\nThese access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account.\n\nThis issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users.\n\nThis issue was addressed in 4.0.3 by removing user info from restful api."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api."
}
]
},

2
2021/21xxx/CVE-2021-21247.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter.\n\nWe can access this listener by submitting a POST request to any page. This issue may lead to `post-auth RCE`\n\nThis endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack.\n\nThis issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserializes the `data` query parameter. We can access this listener by submitting a POST request to any page. This issue may lead to `post-auth RCE` This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack. This issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server."
}
]
},

2
2021/21xxx/CVE-2021-21248.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters.\n\nInputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code.\n\nThe ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA.\n\nThis issue was addressed in 4.0.3 by escaping special characters such as quote from user input."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input."
}
]
},

2
2021/21xxx/CVE-2021-21249.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution.\n\nIn order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA.\n\nThis issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized"
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized"
}
]
},

2
2021/21xxx/CVE-2021-21250.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read.\n\nWhen BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing\nthe expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them.\nIf not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band.\n\nThis issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file."
}
]
},

2
2021/21xxx/CVE-2021-21251.json
View File

@ -35,7 +35,7 @@
"description_data": [
{
"lang": "eng",
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical \"zip slip\" vulnerability. This issue may lead to arbitrary file write.\n\nThe KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. During the untar process, there are no checks in place to prevent an untarred file from traversing the file system and overriding an existing file.\n\nFor a successful exploitation, the attacker requires a valid __JobToken__ which may not be possible to get without using any of the other reported vulnerabilities. But this should be considered a vulnerability in `io.onedev.commons.utils.TarUtils` since it lives in a different artifact and can affect other projects using it.\n\nThis issue was addressed in 4.0.3 by validating paths in tar archive to only allow them to be in specified folder when extracted."
"value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3 there is a critical \"zip slip\" vulnerability. This issue may lead to arbitrary file write. The KubernetesResource REST endpoint untars user controlled data from the request body using TarUtils. TarUtils is a custom library method leveraging Apache Commons Compress. During the untar process, there are no checks in place to prevent an untarred file from traversing the file system and overriding an existing file. For a successful exploitation, the attacker requires a valid __JobToken__ which may not be possible to get without using any of the other reported vulnerabilities. But this should be considered a vulnerability in `io.onedev.commons.utils.TarUtils` since it lives in a different artifact and can affect other projects using it. This issue was addressed in 4.0.3 by validating paths in tar archive to only allow them to be in specified folder when extracted."
}
]
},

40
2021/24xxx/CVE-2021-24122.json
View File

@ -84,6 +84,46 @@
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E",
"name": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[tomcat-announce] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure",
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[tomcat-dev] 20210114 svn commit: r1885488 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[tomee-dev] 20210114 Re: Releases?",
"url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[oss-security] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure",
"url": "http://www.openwall.com/lists/oss-security/2021/01/14/1"
},
{
"refsource": "MLIST",
"name": "[announce] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure",
"url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[tomcat-dev] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure",
"url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[tomcat-users] 20210114 [SECURITY] CVE-2021-24122 Apache Tomcat Information Disclosure",
"url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E"
},
{
"refsource": "MLIST",
"name": "[tomee-dev] 20210115 CVE-2021-24122 NTFS Information Disclosure Bug",
"url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E"
}
]
},

18
2021/25xxx/CVE-2021-25274.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-25274",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2021/25xxx/CVE-2021-25275.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-25275",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}

18
2021/25xxx/CVE-2021-25276.json Normal file
View File

@ -0,0 +1,18 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ID": "CVE-2021-25276",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
},
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}