CVE-2021-21249

{"id": "CVE-2021-21249", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-01-15T21:15:13.740", "references": [{"url": "https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized"}, {"lang": "es", "value": "OneDev es una plataforma devops todo en uno. En OneDev versiones anteriores a 4.0.3, Se presenta un problema relacionado con el an\u00e1lisis de YAML que puede conllevar a una ejecuci\u00f3n de c\u00f3digo remota posterior a la autenticaci\u00f3n. Para analizar y procesar archivos YAML, OneDev usa SnakeYaml que por defecto (cuando no usa \"SafeConstructor\") permite la instanciaci\u00f3n de clases arbitrarias. Podemos aprovechar eso para ejecutar c\u00f3digo arbitrario creando instancias de clases como \"javax.script.ScriptEngineManager\" y usando \"URLClassLoader\" para cargar el proveedor del motor de script, resultando en la instanciaci\u00f3n de una clase controlada por el usuario. Para obtener un ejemplo completo, consulte la GHSA referenciada. Este problema fue abordado en la versi\u00f3n 4.0.3, al permitir que determinadas clases conocidas sean deserializadas"}], "lastModified": "2024-11-21T05:47:51.713", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5287F01C-3A77-4491-AB49-401A50FAA6E9", "versionEndExcluding": "4.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}