CVE-2021-21245 in OneDevinfo

Summary

by MITRE • 01/16/2021

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/15/2021

The vulnerability CVE-2021-21245 affects OneDev, an all-in-one DevOps platform, and represents a critical arbitrary file upload flaw that could enable remote code execution. This vulnerability exists in versions prior to 4.0.3 and stems from the AttachmentUploadServlet component which processes file uploads through the request input stream while simultaneously allowing user-controlled file names to determine storage locations. The flaw creates a dangerous condition where malicious actors can manipulate both the file content and destination path, potentially leading to full server compromise through webshell deployment. The vulnerability aligns with CWE-434, which specifically addresses insecure file upload scenarios where applications fail to properly validate or restrict file upload destinations. This weakness directly enables attackers to bypass normal file upload restrictions and store malicious files in locations where they could be executed or accessed by the application.

The technical implementation of this vulnerability occurs through the AttachmentUploadServlet's handling of HTTP requests where the servlet reads from request.getInputStream() and writes data to locations determined by request.getHeader("File-Name"). This design flaw allows attackers to specify arbitrary file paths through HTTP headers, creating a path traversal condition that could result in files being written outside of intended directories. The vulnerability operates at the application layer and can be exploited through HTTP POST requests that include malicious file content along with crafted header values. Attackers can leverage this to upload webshells or other malicious executables to the OneDev server, potentially gaining unauthorized access to the system and its resources. The flaw demonstrates poor input validation and inadequate sanitization of user-supplied data, creating a direct pathway for privilege escalation and persistent access to the target environment.

The operational impact of this vulnerability extends beyond simple file upload capabilities and represents a significant threat to system integrity and confidentiality. Successful exploitation could allow attackers to establish persistent backdoors, execute arbitrary commands, access sensitive project data, and potentially compromise the entire DevOps platform infrastructure. The vulnerability affects the core functionality of the platform by enabling unauthorized file operations that could lead to complete system compromise. Organizations using affected versions of OneDev face risks including data exfiltration, system takeover, and disruption of development workflows. The attack surface is particularly concerning given that DevOps platforms typically contain sensitive source code repositories, build artifacts, and deployment configurations that make them attractive targets for cybercriminals. This vulnerability also aligns with ATT&CK technique T1190, which covers exploitation of vulnerabilities for initial access, and T1059, which covers execution through command and scripting interpreters.

The vendor addressed this vulnerability in version 4.0.3 through restrictive measures that limit file uploads to a dedicated attachments folder and prevent execution of files within that directory. This mitigation strategy effectively closes the arbitrary file upload pathway by implementing proper path validation and restricting write operations to controlled locations. The solution follows security best practices by implementing the principle of least privilege and ensuring that uploaded files cannot be executed directly by the application. Organizations should immediately upgrade to version 4.0.3 or later to remediate this vulnerability. Additional defensive measures include implementing web application firewalls to monitor and filter suspicious file upload patterns, conducting regular security assessments of DevOps platforms, and establishing proper access controls for file upload functionality. The fix demonstrates the importance of proper input validation and secure coding practices in preventing remote code execution vulnerabilities in enterprise applications.

Responsible

GitHub, Inc.

Reservation

12/22/2020

Disclosure

01/16/2021

Moderation

accepted

CPE

ready

EPSS

0.01198

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!