Login Sign Up

CVE-2021-21249

9.6 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-21249 is a post-authentication remote code execution vulnerability in OneDev DevOps platform. It allows authenticated attackers to execute arbitrary code on the server by exploiting insecure YAML deserialization via SnakeYaml library. This affects all OneDev instances before version 4.0.3.

💻 Affected Systems

Products:
  • OneDev
Versions: All versions before 4.0.3
Operating Systems: All platforms running OneDev
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have valid authentication credentials to exploit.

📦 What is this software?

Onedev by Onedev Project

View all CVEs affecting Onedev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary commands, access sensitive data, deploy malware, or pivot to other systems in the network.

🟠

Likely Case

Attacker gains full control of the OneDev server, potentially accessing source code, CI/CD pipelines, credentials, and deploying malicious code to downstream systems.

🟢

If Mitigated

With proper network segmentation and least privilege, impact limited to the OneDev application server only.

🌐 Internet-Facing: HIGH - Internet-facing OneDev instances are directly exploitable by authenticated attackers.
🏢 Internal Only: HIGH - Internal instances are vulnerable to insider threats or attackers who breach the network perimeter.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication but is straightforward once authenticated. Public proof-of-concept available in GitHub advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.3 and later

Vendor Advisory: https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm

Restart Required: Yes

Instructions:

1. Backup your OneDev instance. 2. Stop the OneDev service. 3. Update to version 4.0.3 or later. 4. Restart the OneDev service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict YAML uploads

all

Temporarily disable or restrict YAML file uploads/processing in OneDev until patched.

Network segmentation

all

Isolate OneDev server from critical systems and implement strict firewall rules.

🧯 If You Can't Patch

  • Implement strict access controls and monitor for suspicious YAML file uploads
  • Deploy WAF rules to block malicious YAML payloads and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check OneDev version via web interface or by examining the installation directory. Versions below 4.0.3 are vulnerable.

Check Version:

Check web interface or run: java -jar onedev.jar --version

Verify Fix Applied:

Verify version is 4.0.3 or higher and test YAML file processing functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual YAML file uploads
  • Java class loading errors
  • ScriptEngineManager instantiation in logs
  • Unusual process execution from OneDev

Network Indicators:

  • Outbound connections from OneDev to unusual destinations
  • Unexpected network traffic patterns

SIEM Query:

source="onedev" AND ("YAML" OR "SnakeYaml" OR "ScriptEngineManager") AND severity=HIGH

📊 Metadata

CVE ID: CVE-2021-21249
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-74
Published: January 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21249, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)