CVE-2021-21243

Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3

Description: OneDev is an all-in-one devops platform. In OneDev, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorization checks. This issue may lead to pre-auth RCE.

Recommendations: For versions prior to 4.0.3, update to version 4.0.3 or later, which fixes the issue by not using deserialization at the KubernetesResource side. As a temporary workaround, consider restricting access to the vulnerable Kubernetes REST endpoint until the update is applied.