CVE-2021-21245

Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3

Description: OneDev is an all-in-one devops platform. In OneDev, the AttachmentUploadServlet saves user-controlled data (request.getInputStream()) to a user-specified location (request.getHeader("File-Name")). This issue may lead to arbitrary file upload, which can be used to upload a WebShell to the OneDev server. However, the webshell issue is not possible as OneDev never executes files in the attachments folder.

Recommendations: For versions prior to 4.0.3, update to version 4.0.3 or later, which only allows uploaded files to be in the attachments folder, addressing the issue.