CVE-2021-21244 CRITICAL

CVE-2021-21244: Pre-Auth SSTI via Bean validation message tampering

Vendor Theonedev
Product onedev
Weakness CWE-74
Published January 15, 2021
Last update August 3, 2024

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.

Key dates

02Disclosure timeline

January 15, 2021 CVE published
August 3, 2024 Record updated

Related vulnerabilities

04Related CVE