CVE-2024-45309

HIGH8.7

Public PoC

Description

OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

theonedev / onedev< 11.0.9 – < 11.0.9

Exploits & PoCs

nucleiOneDev.io < 11.0.9 - Arbitrary File Readby isacaya

References

VENDOR_ADVISORYhttps://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
PATCHhttps://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f