Name of the Vulnerable Software and Affected Versions:

Onedev versions prior to 7.3.0

Description:

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the `/opt/onedev/sites/` directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This issue can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data.

Recommendations:

For versions prior to 7.3.0, upgrade to version 7.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the `/opt/onedev/sites/` directory until the upgrade is applied.