FKIE_CVE-2021-21246

Vulnerability from fkie_nvd - Published: 2021-01-15 21:15 - Updated: 2024-11-21 05:47
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api.
References
security-advisories@github.comhttps://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gxThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gxThird Party Advisory
Impacted products
Vendor Product Version
onedev_project onedev *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5287F01C-3A77-4491-AB49-401A50FAA6E9",
              "versionEndExcluding": "4.0.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api."
    },
    {
      "lang": "es",
      "value": "OneDev es una plataforma devops todo en uno.\u0026#xa0;En OneDev versiones anteriores a  4.0.3, el endpoint de REST UserResource lleva a cabo una comprobaci\u00f3n de seguridad para asegurarse de que solo los administradores puedan enumerar los detalles del usuario.\u0026#xa0;Sin embargo, para el endpoint \"/users/{id}\" no son aplicados controles de seguridad, por lo que es posible recuperar detalles arbitrarios del usuario, incluyendo sus tokens de acceso.\u0026#xa0;Estos tokens de acceso pueden ser usados para acceder a la API o al c\u00f3digo de clonaci\u00f3n en la especificaci\u00f3n de compilaci\u00f3n por medio del protocolo HTTP(S).\u0026#xa0;Presenta permisos para todos los proyectos accesibles por la cuenta de usuario.\u0026#xa0;Este problema puede conllevar a una \"filtraci\u00f3n de datos confidenciales\" y el token de acceso, que puede ser usada para hacerse pasar por el administrador o cualquier otro usuario.\u0026#xa0;Este problema fue abordado en la versi\u00f3n 4.0.3 al eliminar la informaci\u00f3n del usuario de la API restful"
    }
  ],
  "id": "CVE-2021-21246",
  "lastModified": "2024-11-21T05:47:51.363",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-01-15T21:15:13.490",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.