Critical vulnerability reported in OneDev DevOps platform
Take action: If you are using OneDev, patch it ASAP. Since it's a DevOps platform, it's accessible to a wider audience and is tightly integrated and trusted with a lot of stuff. If hacked, it can be very very bad.
Learn More
A critical vulnerability has been identified in the OneDev DevOps platform. OneDev integrates several essential tools, such as Git server capabilities, continuous integration/continuous deployment (CI/CD), kanban boards, and package management, making it a popular choice among development teams.
The flaw is tracked as CVE-2024-45309 (CVSS score 7.5, but OneDev considers it critical). It affects versions prior to 11.0.9 and allows unauthenticated users to read arbitrary files that are accessible to the OneDev server process, without the need for valid credentials. This means attackers could gain unauthorized access to sensitive data stored on the server, including:
- Configuration files
- Source code
- Critical assets
The unauthorized access enabled by CVE-2024-45309 could result in:
- Exposure of sensitive information
- Further attacks, including privilege escalation
- Deployment of malware
- Disruption of development processes
OneDev has addressed the issue by releasing version 11.0.9. All users of affected versions (<=11.0.8) are strongly advised to update to the latest version immediately to prevent exploitation.
