One Article Review
| Source |  CVE Liste |
|---|---|
| Identifiant | 2200498 |
| Date de publication | 2021-01-15 21:15:13 (vue: 2021-01-16 00:05:14) |
| Titre | CVE-2021-21248 |
| Texte | OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input. |
| Notes | |
| Envoyé | Oui |
| Condensat | 2021 21248 able addressed all arbitrary before build can characters classes code constructor control critical cve define devops does dynamically endpoint escaping example from full generated ghsa groovy injecting injection input inputspec involving issue job one onedev parameters platform quote refer referenced result run server spec special static such ultimate used user using version vulnerability will |
| Tags | Vulnerability |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.