CVE-2022-39208
moderate-risk
Published 2022-09-13
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.
Do I need to act?
-
0.63% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2
Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2
33
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal