| शीर्षक | theonedev onedev 15.05 BOPLA |
|---|
| विवरण | Unauthorized Cross-Project Repository Fork via forkedFromId
Risk Summary
A user who is allowed to create projects within a namespace may be able to create a fork project whose forkedFromId references a source project the user should not be able to read.
The affected workflow appears to copy repository data, LFS objects, commit metadata, and project avatar information from the source project into the attacker-controlled target project without enforcing source-project read authorization.
Because newly created projects automatically grant Owner-level authorization to the creator, the attacker may subsequently grant themselves repository read access and retrieve the copied repository contents through normal repository APIs.
In practice, this may allow unauthorized cross-project replication of private repository contents and related metadata. |
|---|
| स्रोत | ⚠️ https://www.cnblogs.com/aibot/p/19994142 |
|---|
| उपयोगकर्ता | Anonymous User |
|---|
| सबमिशन | 08/05/2026 08:26 AM (1 महीना पहले) |
|---|
| संयम | 06/06/2026 12:21 AM (29 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 369018 [theonedev तक 15.0.5 /projects project.forkedFromId अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|