CVE-2021-21245

CVE-2021-21245

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.

Source: CVE-2021-21245

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다