CVE Tools
Sign in

CVE-2022-39205

Access Control Bypass in Onedev

Published: Sep 13, 2022Updated: Nov 21, 2024 Sources: CVE List NVDCWE-287
NVD MITRE
9.0CVSSCRITICAL
EPSS Score
1.7%
Top 26.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versions of Onedev prior to 7.3.0 unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code. Such an attack would be very hard to detect, which increases the potential impact even more. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS Vector Breakdown

AV:NAC:HPR:NUI:NS:CC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-287

Affected Products

onedevtheonedev
On-prem
Enterprise Software / collaboration-groupware
onedevonedev project
On-prem
DevTools & CI / source-control
theonedevcommercialEnterprise Softwareaka one dev, onedev
onedev projectoss-projectDevTools & CIaka one dev

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

2 techniques
Initial Access
View detailed technique mapping

References

https://github.com/theonedev/onedev/security/advisories/GHSA-4f9h-h82c-4xm2
github.com
https://github.com/theonedev/onedev/commit/f1e97688e4e19d6de1dfa1d00e04655209d39f8e
github.com
https://github.com/theonedev/onedev/releases/tag/v7.3.0
github.com
and 1 more references View all →

Timeline

Published
Sep 13, 2022
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-39205 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows