CVE-2021-21246
📋 TL;DR
CVE-2021-21246 is an authorization bypass vulnerability in OneDev's REST API that allows unauthenticated users to retrieve arbitrary user details including access tokens. This affects all OneDev instances before version 4.0.3. Attackers can use stolen tokens to impersonate users, access projects, and potentially compromise the entire DevOps platform.
💻 Affected Systems
- OneDev
📦 What is this software?
Onedev by Onedev Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the OneDev instance: attackers obtain administrator access tokens, gain full control over all projects, steal source code, modify build pipelines, and potentially pivot to internal systems.
Likely Case
Unauthorized access to user accounts and projects: attackers steal access tokens to clone repositories, access sensitive data, and perform actions as compromised users.
If Mitigated
Limited impact with proper network segmentation and monitoring: token misuse detected early, access restricted to non-critical systems.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.3
Vendor Advisory: https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx
Restart Required: Yes
Instructions:
1. Backup your OneDev instance. 2. Stop the OneDev service. 3. Update to version 4.0.3 or later. 4. Restart the service. 5. Verify the fix by checking the version and testing the API endpoint.
🔧 Temporary Workarounds
Block REST API Access
linuxTemporarily block access to the vulnerable REST API endpoints using network controls or web application firewall rules.
# Example: Block /api/users/* endpoints
iptables -A INPUT -p tcp --dport 80 -m string --string "/api/users/" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/api/users/" --algo bm -j DROP
Disable REST API
allDisable the REST API entirely if not required for operations.
# Modify OneDev configuration to disable REST API
# Check OneDev documentation for specific configuration changes
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OneDev from sensitive systems and the internet.
- Deploy a web application firewall (WAF) with rules to block requests to /api/users/* endpoints and monitor for access token misuse.
🔍 How to Verify
Check if Vulnerable:
Send a GET request to /api/users/{id} endpoint (replace {id} with any user ID). If it returns user details including access tokens without authentication, the system is vulnerable.Check Version:
curl -s http://your-onedev-server/version || check OneDev web interface for version infoVerify Fix Applied:
After patching, attempt the same GET request. It should return an error or no user details. Check that the version is 4.0.3 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /api/users/* endpoints
- Multiple failed authentication attempts followed by successful API calls with stolen tokens
- Access from unexpected IP addresses to user endpoints
Network Indicators:
- HTTP GET requests to /api/users/{id} from unauthenticated sources
- Sudden increase in API requests to user management endpoints
- Cloning operations from new or unexpected locations
SIEM Query:
source="onedev" AND (uri_path="/api/users/*" OR method="GET" AND uri_path CONTAINS "/api/users/")🔗 References
- https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089
- https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx
- https://github.com/theonedev/onedev/commit/a4491e5f79dc6cc96eac20972eedc8905ddf6089
- https://github.com/theonedev/onedev/security/advisories/GHSA-66v7-gg85-f4gx
