CVE-2024-45309 Scanner

OneDev is an open-source all-in-one development platform designed for source code management, issue tracking, and CI/CD pipelines. It is commonly used by software development teams to streamline project management and enhance productivity. The software provides features like code review, task management, and version control, making it a vital tool in collaborative development environments.

Arbitrary File Read vulnerabilities allow attackers to access files on the host system that they would not typically be authorized to view. This vulnerability occurs due to improper validation of directory traversal characters in file paths, enabling unauthorized file access. Attackers can exploit this flaw to retrieve sensitive system files or application configurations.

In OneDev, the vulnerability stems from inadequate sanitization of file path inputs in certain endpoints. By sending specially crafted requests with directory traversal sequences (`../../..`), attackers can navigate outside the intended directory structure and access sensitive files like `/etc/passwd` or `win.ini`. The flaw affects versions below 11.0.9.

Exploitation of this vulnerability may lead to the exposure of sensitive information, such as system configurations, user credentials, or application secrets. This could facilitate further attacks, including privilege escalation, unauthorized access, or system compromise.

REFERENCES

• https://x.com/Siebene7/status/1848727539046617324
• https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
• https://nvd.nist.gov/vuln/detail/CVE-2024-45309