CVE-2021-21247

Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3

Description: OneDev is an all-in-one devops platform. The application's BasePage registers an AJAX event listener (AbstractPostAjaxBehavior) in all pages other than the login page. This listener decodes and deserializes the data query parameter. The issue can be accessed by submitting a POST request to any page, which may lead to post-auth RCE. This endpoint is subject to authentication and requires a valid user to carry on the attack.

Recommendations: For versions prior to 4.0.3, update to version 4.0.3 or later, which addresses the issue by encrypting the serialization payload with secrets only known to the server. As a temporary workaround, consider restricting access to the AbstractPostAjaxBehavior listener until the update is applied. Avoid using the data query parameter in affected pages until the issue is resolved.