Invoke1442

**Name of the Vulnerable Software and Affected Versions** OneDev versions prior to 15.0.2 **Description** OneDev is a Git server featuring CI/CD, kanban, and packages. A flaw exists where the boundary between repository-controlled LFS (Large File Storage) metadata and server-local filesystem paths is breached. This allows a repository object to redirect raw blob reads to arbitrary local files accessible by the server account. Consequently, any user with push permissions to a repository can access any server files that the server process has permission to read. **Recommendations** Update to version 15.0.2.