CVE-2021-21251
📋 TL;DR
CVE-2021-21251 is a path traversal vulnerability in OneDev's TarUtils library that allows authenticated attackers to write arbitrary files anywhere on the filesystem. This affects OneDev versions before 4.0.3 and potentially other projects using the vulnerable TarUtils library. Attackers need a valid JobToken to exploit this vulnerability.
💻 Affected Systems
- OneDev
📦 What is this software?
Onedev by Onedev Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file overwrite leading to remote code execution, data destruction, or privilege escalation.
Likely Case
Unauthorized file modification, data corruption, or limited code execution within application context.
If Mitigated
No impact if proper path validation is implemented or access controls prevent exploitation.
🎯 Exploit Status
Exploitation requires a valid JobToken, which may require chaining with other vulnerabilities. The vulnerability itself is straightforward path traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.3
Vendor Advisory: https://github.com/theonedev/onedev/security/advisories/GHSA-2w6j-wc8c-9mq2
Restart Required: Yes
Instructions:
1. Backup your OneDev installation and data. 2. Stop the OneDev service. 3. Upgrade to version 4.0.3 or later. 4. Restart the OneDev service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict KubernetesResource endpoint access
allLimit network access to the KubernetesResource REST endpoint to trusted sources only.
JobToken rotation and restriction
allRotate all JobTokens and implement strict access controls on token usage.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OneDev instances
- Monitor file system changes and implement file integrity monitoring
🔍 How to Verify
Check if Vulnerable:
Check OneDev version via admin interface or by examining the installation directory for version files.Check Version:
Check OneDev web interface admin panel or examine version.txt in installation directory.Verify Fix Applied:
Verify version is 4.0.3 or later and test that tar extraction is restricted to intended directories.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside expected directories
- Multiple failed authentication attempts to KubernetesResource endpoint
- Unexpected tar extraction processes
Network Indicators:
- Unusual traffic patterns to /api/kubernetes endpoint
- Large tar file uploads to KubernetesResource endpoint
SIEM Query:
source="onedev" AND (event="file_write" AND path NOT CONTAINS "/expected/directory/") OR (endpoint="/api/kubernetes" AND method="POST" AND size>1000000)