Headline
CVE-2022-38301: Path Traversal in Onedev v7.4.14 - Loginsoft Research
Onedev v7.4.14 contains a path traversal vulnerability which allows attackers to access restricted files and directories via uploading a crafted JAR file into the directory /opt/onedev/lib.
Skip to content
Path Traversal in Onedev v7.4.14****CVE Number
To be assigned
Loginsoft ID
Loginsoft-2022-1010
Vulnerability Description
A path traversal vulnerability allows an attacker to gain unauthorized access to restricted directories and files on the server. An attacker with a project manager privilege can upload a malicious jar file into the “/opt/onedev/lib” directory as an artifact in project builds page which will be replacing the “io.onedev.server-plugin-executor-serverdocker-7.4.14.jar” file from the lib directory. Upon a server restart, the user can execute the uploaded malicious jar file by running a build which internally calls the executor plugin that leads to Remote code execution.
CWE ID
CWE-22
Versions Affected
<= v7.4.14
CVSS Score
7.5 (High)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Steps to reproduce:****Impact
This vulnerability leads to arbitrary file write in server and can also inject malicious jars that leads to remote code execution.
Mitigation:
To protect the application from this weakness it is advised to follow these instructions:
- Normalizing user-supplied input against such attacks as Path/Directory Traversal
- Do not allow special characters “…”,”/” in the file name or directory name
Fix Commit
https://github.com/theonedev/onedev/commit/5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea
Identified Date
09 August, 2022
Disclosure Date
09 August, 2022
Credit
Bhargava Ram Koduru