HTTP: OneDev OneDev Platform AttachmentUploadServet Insecure Deserialization
This signature detects attempts to exploit a known vulnerability against OneDev. A successful attack can lead to arbitrary code execution.
Extended Description
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization
Affected Products
Onedev_project onedev
References
CVE: CVE-2021-21242
Short Name
HTTP:CTS:ONEDEV-ATCHUPLD-INSDES
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
AttachmentUploadServet CVE-2021-21242 Deserialization Insecure OneDev Platform
Release Date
03/09/2021
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3363
False Positive
Unknown
Vendors
Onedev_project
CVSS Score
7.5