CVE-2022-39205 - OpenCVE

Vendors	Products
Onedev Project	Onedev

Link	Providers
https://blog.sonarsource.com/onedev-remote-code-execution/
https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e
https://github.com/theonedev/onedev/releases/tag/v7.3.0
https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2

{"containers": {"cna": {"affected": [{"product": "onedev", "vendor": "theonedev", "versions": [{"status": "affected", "version": "< 7.3.0"}]}], "descriptions": [{"lang": "en", "value": "Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-22T18:03:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/theonedev/onedev/releases/tag/v7.3.0"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.sonarsource.com/onedev-remote-code-execution/"}], "source": {"advisory": "GHSA-4f9h-h82c-4xm2", "discovery": "UNKNOWN"}, "title": "Access Control Bypass in Onedev", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39205", "STATE": "PUBLIC", "TITLE": "Access Control Bypass in Onedev"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "onedev", "version": {"version_data": [{"version_value": "< 7.3.0"}]}}]}, "vendor_name": "theonedev"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2", "refsource": "CONFIRM", "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2"}, {"name": "https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e", "refsource": "MISC", "url": "https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e"}, {"name": "https://github.com/theonedev/onedev/releases/tag/v7.3.0", "refsource": "MISC", "url": "https://github.com/theonedev/onedev/releases/tag/v7.3.0"}, {"name": "https://blog.sonarsource.com/onedev-remote-code-execution/", "refsource": "MISC", "url": "https://blog.sonarsource.com/onedev-remote-code-execution/"}]}, "source": {"advisory": "GHSA-4f9h-h82c-4xm2", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:42.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/theonedev/onedev/releases/tag/v7.3.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.sonarsource.com/onedev-remote-code-execution/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39205", "datePublished": "2022-09-13T18:30:13", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2024-08-03T12:00:42.469Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC376576-D05E-4FBF-8E5E-CB81C3965142", "versionEndExcluding": "7.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "Onedev es un servidor Git de c\u00f3digo abierto, auto-alojado con CI/CD y Kanban. En versiones de Onedev anteriores a 7.3.0, los usuarios no autenticados pueden tomar el control de una instancia de OneDev si no se presenta un proxy inverso configurado apropiadamente. El endpoint /git-prereceive-callback es usado por el hook git pre-receive en el servidor para comprobar las protecciones de las ramas durante un evento push. S\u00f3lo puede accederse a \u00e9l desde localhost, pero la comprobaci\u00f3n es basada en la cabecera X-Forwarded-For. La invocaci\u00f3n de este endpoint conlleva a una ejecuci\u00f3n de uno de varios comandos de git. Las variables de entorno de la ejecuci\u00f3n de este comando pueden ser controladas por medio de par\u00e1metros de consulta. Esto permite a atacantes escribir en archivos arbitrarios, lo que a su vez puede conllevar a una ejecuci\u00f3n de c\u00f3digo arbitrario. Un ataque de este tipo ser\u00eda muy dif\u00edcil de detectar, lo que aumenta a\u00fan m\u00e1s el impacto potencial. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-39205", "lastModified": "2022-10-01T02:18:36.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-13T19:15:13.093", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.sonarsource.com/onedev-remote-code-execution/"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/theonedev/onedev/releases/tag/v7.3.0"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object