CVE-2022-39206

Name of the Vulnerable Software and Affected Versions Onedev versions prior to 7.3.0

Description Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket is mounted into each Docker step, allowing users who can define and trigger CI/CD jobs to control the Docker daemon on the host machine. This can be used to break out of Docker containers and gain root privileges on the host system, potentially taking over the build infrastructure of a OneDev instance. Attackers need an account and permission to create a project to exploit this issue. The impact is increased as it could be used to hijack builds of OneDev itself by injecting malware into docker images built and pushed to Docker Hub.

Recommendations Upgrade to Onedev version 7.3.0 or higher. There are no known workarounds for this issue.