CVE-2021-21246 Scanner

OneDev is a widely adopted open-source project management and issue tracking tool designed for software development teams. Used by companies and developers around the world, OneDev assists in project planning, development tracking, and continuous integration processes. It is particularly useful for dev teams that need a centralized platform for tracking tasks and compiling code in a collaborative environment. OneDev's interface is built to optimize both team and individual productivity, providing features to manage code reviews, issue tracking, and code hosting in one platform. With these features, it integrates seamlessly into existing DevOps workflows, improving team coordination and efficiency. Its REST API support allows users to extend the functionalities and automate workflows to suit specific requirements.

The Information Disclosure vulnerability identified in OneDev prior to version 4.0.3 is due to a lack of security checks in one of its endpoints. This flaw allows unauthorized users to access sensitive user data, specifically through the /users/{id} REST API endpoint. Information that can be leaked includes user access tokens and email addresses. Such data leakage can lead to severe security issues including user impersonation and unauthorized access to user accounts. No special conditions are needed for exploitation, making this vulnerability particularly dangerous as it can be easily exploited remotely. This flaw poses a significant security risk as it makes sensitive data accessible to unauthorized parties.

Technically, OneDev's user access token leak vulnerability is found within the REST API available in versions earlier than 4.0.3. The problematic endpoint, /rest/users/{id}, fails to enforce adequate authorization checks, allowing anyone with access to the API URL to fetch sensitive user information. The vulnerability is exposed when a GET request is sent to this endpoint, with typical responses containing '"accessToken"' and '"email"' within JSON formatted data. The Content-Type for returned data from this endpoint is application/json, signifying a structured data response likely meant for authorized users only. The absence of proper security checks means that attackers can exploit this vulnerability simply by accessing the endpoint directly.

Exploiting the Information Disclosure vulnerability in OneDev could lead to unauthorized data access and user impersonation. Attackers gaining access to user tokens can potentially take control of affected user accounts. Such access would allow for actions to be performed in the name of the compromised user without their knowledge. This could lead to unauthorized data manipulation, and in severe cases, complete account compromise where attackers could exfiltrate sensitive, private, or proprietary information. Beyond data theft, the compromised account might be used maliciously within the project, affecting team productivity and trust. Proper exploitation of this vulnerability can thus severely impact users' security and affect business operations reliant on the integrity of the OneDev platform.

REFERENCES

• https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx
• https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089
• https://nvd.nist.gov/vuln/detail/CVE-2021-21246
• https://securitylab.github.com/advisories/GHSL-2020-214_223-onedev/