Reports and Resources
Path Traversal in Onedev v7.4.14
CVE Number
CVE-2022-38301
Loginsoft ID
Loginsoft-2022-1010
Vulnerability Description
A path traversal vulnerability allows an attacker to gain unauthorized access to restricted directories and files on the server. An attacker with a project manager privilege can upload a malicious jar file into the “/opt/onedev/lib” directory as an artifact in project builds page which will be replacing the “io.onedev.server-plugin-executor-serverdocker-7.4.14.jar” file from the lib directory. Upon a server restart, the user can execute the uploaded malicious jar file by running a build which internally calls the executor plugin that leads to Remote code execution.
CWE ID
CWE-22
Versions Affected
<= v7.4.14
CVSS Score
7.5 (High)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Steps to reproduce:
- Login into application as a user with project manager privilege
- Create and run any sample build with any executor
![Path Traversal in Onedev v7.4.14](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65b6094cc28cd4c194ccbb26_Sample_Build.png)
- Select any build and navigate to the artifacts upload page to create a sample folder and upload a file
- Create a jar file with malicious code and pack it with same file name as on the server
![jar file code in Onedev v7.4.14](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65b6094cc28cd4c194ccbb2d_Jar_File.png)
- Now upload the malicious jar file to the directory with payload “../../../../../../lib” which will replace the original jar file in the lib directory
![Application and Run any build in Onedev v7.4.14](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65b6094cc28cd4c194ccbb33_Upload.png)
- After restarting the server, access the application and run any build
- We can see the uploaded malicious jar file executes and inserted log is generated during the build execution
![Build execution in Onedev v7.4.14](https://cdn.prod.website-files.com/65b289cb0ffb9c61ca03e8ed/65b6094cc28cd4c194ccbb30_JarFile_Executed.png)
Impact
This vulnerability leads to arbitrary file write in server and can also inject malicious jars that leads to remote code execution.
Mitigation:
To protect the application from this weakness it is advised to follow these instructions:
- Normalizing user-supplied input against such attacks as Path/Directory Traversal
- Do not allow special characters “..”,”/” in the file name or directory name
Fix Commit
https://github.com/theonedev/onedev/commit/5b6a19c1f7fe9c271acc4268bcd261a9a1cbb3ea
Identified Date
09 August, 2022
Disclosure Date
09 August, 2022
Credit
Bhargava Ram Koduru