CVE-2022-39208

Published: Sep 13, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.

Vendor	Product	Versions
theonedev	onedev	affected `< 7.3.0`

Weaknesses (CWE)

CWE-552

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2

x_refsource_CONFIRM

https://github.com/theonedev/onedev/commit/8aa94e0daf8447cdf76d4f27bfda0a85a7ea5822

x_refsource_MISC

https://blog.sonarsource.com/onedev-remote-code-execution/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-39208

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References