{"id":"CVE-2021-21242","details":"OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization","modified":"2026-04-10T09:08:08.369910Z","published":"2021-01-15T21:15:13.227Z","related":["GHSA-5q3q-f373-2jv8"],"references":[{"type":"ADVISORY","url":"https://github.com/theonedev/onedev/security/advisories/GHSA-5q3q-f373-2jv8"},{"type":"FIX","url":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theonedev/onedev","events":[{"introduced":"0"},{"fixed":"4bd71941974a1b077e955616d7ba3da6fd21670c"},{"fixed":"f864053176c08f59ef2d97fea192ceca46a4d9be"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.3"}]}}],"versions":["2.0-beta-build119","2.0-beta-build120","2.0.0","2.0.4","2.0.5","v3.0.10","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v4.0.0","v4.0.1","v4.0.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21242.json","vanir_signatures":[{"signature_type":"Line","id":"CVE-2021-21242-1db244ea","digest":{"threshold":0.9,"line_hashes":["95625459293646225704374460036311792085","273321650894875083722225609492360674247","149536289285787303731267568078931440840","153129500511295848752433879135494058160","280725881616314491843426525321533622769","64587437893124324345541872598393811221","261954739022427592811629948128489486283","88063712212969795176022280017739111091","95297895078723082419144244669703545413","268439824853052387133004616797889899095","313779442606465538915916064064527254332","145154703806985278637211269919190537424","266604171710259684688025983564039979192","50218575993495602755051458702088158154","245895669601739186523638829428724289326","120883246611349581128873288576490272750","151319452066297218069829476394365562585","143743956365062115489095094820433744129","294334602643461307138168689981109570879","263691793919998130918910994220020285177","147037953542251971823999906159723690766"]},"deprecated":false,"target":{"file":"server-product/src/main/java/io/onedev/server/product/ProductServletConfigurator.java"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2021-21242-1f0571d1","digest":{"threshold":0.9,"line_hashes":["256751552157367700744711932446284548929","107021468624948445515134062653427063912","313046391882167934489591927529070307651","301362883587848976738407231750262874044","186711964868064431750527798547340704217","213364005236987498956861439255402181889","133374288222721940077044672297674279471","30088399020270620000596782144212082372"]},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/web/BaseUrlMapper.java"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2021-21242-38dcc1df","digest":{"threshold":0.9,"line_hashes":["160863075934594246310087021931678412820","215554479813368762459437369309270037769","93690401609363424324047197393599282318","266300942678303023375527140782135736588","23313910523019223781396139937582948474","282880891850181747168844388074972579234","143579891697229622692577873933162300888","80558066068730365613547543164400555750"]},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/CoreModule.java"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-21242-3b3392ea","digest":{"length":832,"function_hash":"257240537605160715999981906308107906946"},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/AttachmentUploadServlet.java","function":"doPost"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-21242-7f4d41c5","digest":{"length":1431,"function_hash":"145814162199095249273376703435625445885"},"deprecated":false,"target":{"file":"server-product/src/main/java/io/onedev/server/product/ProductServletConfigurator.java","function":"configure"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-21242-809a68de","digest":{"length":2019,"function_hash":"273394235866300875759086043603048284626"},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/CoreModule.java","function":"configureWeb"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-21242-a2b9ad0f","digest":{"length":12115,"function_hash":"216139087569135330052738645608257158952"},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java","function":"onInitialize"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2021-21242-be215a68","digest":{"threshold":0.9,"line_hashes":["49541360837135790768534429726819087815","200537108741485271589568239126053926668","298355413294292382908846474181325170119","220699393177793245247100746068781675834","263505494837759318786661074108245226635","184121449870472071110530236464458845489","146291267804270856671916501344545440391","190887707810537948889131017229742134124","172196801818168756934215575011504024641","181010034319868991546119048082404778923","15104623613278015291099214083031339760","300942660232706504341397541571822591571","62764929970628014130494237343260208142","248580319244561220510607982272952252191","4180699673896947683939402850756221893","192903287207220378682861108203704877589","181812845064876615835486401508424392495","220143657503280630072624832485729031129","173699602687711222650091894960670826391","19186686223637199484015368435505167049","59237820954101049474697742183353555554","273845990207441843924559320195135462666","276083647709220164914377635139195677787","225583806824882289975660488592505389071","332423324066484944544728137604262895390","22626892541990244970600326514951091853","133351968693713748993518272953693199347","204709142282643463347360168177251607417","161505473530299524092327454807949620394","186353252857152253058669863182764854495","211230656414176033170855658196465620994","131300167355145676373397457845292816075","193110972337424188786230107628476454632","165472949058193466828942900374860079292","22589627147199411100799747245638376761","323537696931700007553900547699016785667","103842422699942942431319928769728158501"]},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/AttachmentUploadServlet.java"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Line","id":"CVE-2021-21242-d3c62876","digest":{"threshold":0.9,"line_hashes":["193827472473032349198916656616655988824","110349372901302503574408531241892097147","138343701779473806246517290565947726571","197260742834329359023693104316043107739","22551303965829082225179019240437640226","53153208773575113136524990447551821219","94665950748832079942127722450233004909","2520424659927787290652155525758641401","333242589073971635081353143976125015658","288773476244647545615827369536433233752","230484901352906823788139158837819406291","258630986431767073760140032479979438113","177496589037573182233146071964127141937","305926237917411974696773980567539787836","138533079535466457146270599617045327650","53266737264123240053475402772431482222","193174029157670538197664411039605041477","272950831747015756712582686979269538904","258773968772888376517918731296907617653","304015283333166495126655560300168419197","192372346614806192288486624778438345278","324301206150450347086368377275580794926","118277810330955228889193097844080344107","162197593692702360561368360085690666648","119155884465000972756269884865521773740","42051831734650327575302334695001357789","173861095529503293664661659985526150772","228202928922227531070100350900261771550","198482323340266083505124177305608046860","124062425854225632628081329662207605213","79857656579781679713873665099933085318","296685852313678411056972883291578897176","207510203917269129827776452081666488505","160964247068918040365226535556390340960","115599432104285824816673223251818123475","259691645451762211705118438902004577598","42198086015974555726797493426838165726","241808798852260072992872558212401649364","54045425023987604997772399630880574864","239582486391285077412710964813963476384","79923543039576080629388533534544156358","256552646668785559945996032112332460718","299196632734724631062938307224651275122","92457311509591101642247399740798547771","331771983089586118306666504918224822489","247775732407738421163310593625610379571","51785888503635678139702363863749067935","96938856483481073308701159051582907072","267898011051402378109401679103677025330","268104134655794463037991695149656163618","122951409984269102911945017415712293150","292772861779218544380703778568064764414","261729032346019768392433323962977067299","268099233654848844790346913685873781333"]},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-21242-d59f843b","digest":{"length":347,"function_hash":"324458603091809535304543306867188567060"},"deprecated":false,"target":{"file":"server-product/src/main/java/io/onedev/server/product/ProductServletConfigurator.java","function":"ProductServletConfigurator"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"},{"signature_type":"Function","id":"CVE-2021-21242-de08b69d","digest":{"length":1246,"function_hash":"140934940039939154972924027995913260789"},"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java","function":"renderHead"},"source":"https://github.com/theonedev/onedev/commit/f864053176c08f59ef2d97fea192ceca46a4d9be","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-10T09:08:08Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}