CVE-2021-32651

Published: Jun 1, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

3.1

LOW

Description

OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2.

Vendor	Product	Versions
theonedev	onedev	affected `<= 4.4.1`

Weaknesses (CWE)

CWE-90

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf

x_refsource_CONFIRM

https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32651

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References