CVE-2022-39205

Name of the Vulnerable Software and Affected Versions Onedev versions prior to 7.3.0

Description The issue allows unauthenticated users to take over an Onedev instance if there is no properly configured reverse proxy. The "/git-prereceive-callback" endpoint, intended for localhost access, can be invoked by attackers, leading to the execution of git commands. Environment variables for this command execution can be controlled via query parameters, allowing attackers to write to arbitrary files and potentially execute arbitrary code. This attack is difficult to detect, increasing its potential impact.

Recommendations For versions prior to 7.3.0, upgrade to version 7.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/git-prereceive-callback" endpoint to minimize the risk of exploitation. Additionally, ensure a properly configured reverse proxy is in place to prevent unauthorized access.