CVE-2021-21248

Name of the Vulnerable Software and Affected Versions: OneDev versions prior to 4.0.3

Description: OneDev is an all-in-one devops platform with a critical issue involving the build endpoint parameters. The InputSpec is used to define parameters of a Build spec, utilizing dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code, resulting in the injection of a static constructor that will run arbitrary code.

Recommendations: For versions prior to 4.0.3, update to version 4.0.3 or later, which addresses the issue by escaping special characters such as quotes from user input. As a temporary workaround, consider restricting access to the build endpoint parameters to minimize the risk of exploitation.