By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Home
/
Research
/
Zero Day Discovery
/
CVE-2022-38301: Path Traversal in Onedev v7.4.14

CVE-2022-38301: Path Traversal in Onedev v7.4.14

Vulnerability Reports
August 9, 2022
Profile Icon

Jason Franscisco

Path Traversal in Onedev v7.4.14

CVE Number

CVE-2022-38301

Loginsoft ID

Loginsoft-2022-1010

Vulnerability Description

A path traversal vulnerability allows an attacker to gain unauthorized access to restricted directories and files on the server. An attacker with a project manager privilege can upload a malicious jar file into the “/opt/onedev/lib” directory as an artifact in project builds page which will be replacing the “io.onedev.server-plugin-executor-serverdocker-7.4.14.jar” file from the lib directory. Upon a server restart, the user can execute the uploaded malicious jar file by running a build which internally calls the executor plugin that leads to Remote code execution.

CWE ID

CWE-22

Versions Affected

<= v7.4.14

CVSS Score

7.5 (High)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Steps to reproduce:
  • Login into application as a user with project manager privilege
  • Create and run any sample build with any executor
Path Traversal in Onedev v7.4.14
  • Select any build and navigate to the artifacts upload page to create a sample folder and upload a file
  • Create a jar file with malicious code and pack it with same file name as on the server
jar file code in Onedev v7.4.14
  • Now upload the malicious jar file to the directory with payload “../../../../../../lib” which will replace the original jar file in the lib directory
Application and Run any build in Onedev v7.4.14
  • After restarting the server, access the application and run any build
  • We can see the uploaded malicious jar file executes and inserted log is generated during the build execution
Build execution in Onedev v7.4.14
Impact

This vulnerability leads to arbitrary file write in server and can also inject malicious jars that leads to remote code execution.

Mitigation:

To protect the application from this weakness it is advised to follow these instructions:

  • Normalizing user-supplied input against such attacks as Path/Directory Traversal
  • Do not allow special characters “..”,”/” in the file name or directory name
Fix Commit

https://github.com/theonedev/onedev/commit/5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea

Identified Date

09 August, 2022

Disclosure Date

09 August, 2022

Credit

Bhargava Ram Koduru

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Reports and Resources

Related Resources

Article

Semgrep insights on security risks in Node.JS vm module

Article

Is Microsoft Azure Sentinel your next Implementation? Learn how Loginsoft integrated Sentinel with data source

Article

Open Vulnerability Assessment Language (OVAL) in a Nutshell

Sign up to our Newsletter

Services
Cloud Security Posture ManagementCloud Workload ProtectionOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoverySecurity & Threat Intelligence IntegrationsVulnerability IntelligenceThreat IntelligenceExternal Attack Surface DiscoveryVulnerability & Configuration Management
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day DiscoveryOur Research
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy