{"id":"CVE-2021-21245","details":"OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader(\"File-Name\")`). This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server. This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.","modified":"2026-04-12T01:00:57.092978Z","published":"2021-01-15T21:15:13.413Z","related":["GHSA-62m2-38q5-96w9"],"references":[{"type":"ADVISORY","url":"https://github.com/theonedev/onedev/security/advisories/GHSA-62m2-38q5-96w9"},{"type":"FIX","url":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theonedev/onedev","events":[{"introduced":"0"},{"fixed":"4bd71941974a1b077e955616d7ba3da6fd21670c"},{"fixed":"0c060153fb97c0288a1917efdb17cc426934dacb"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.0.3"}],"cpe":"cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["2.0-beta-build119","2.0-beta-build120","2.0.0","2.0.4","2.0.5","v3.0.10","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v4.0.0","v4.0.1","v4.0.2"],"database_specific":{"vanir_signatures":[{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["68203522421868111055108866174825251762","301002256770212939254408022070142109453","339626886039113386921761916749182874522","101762259851870068948437845586928594840","282833400354987958042928542371407521959","134149704328623210705218927821726940959","5550215339944669665682725599663046819","146115874464915822923565610348893730042"]},"target":{"file":"server-core/src/main/java/io/onedev/server/web/page/project/blob/ProjectBlobPage.java"},"signature_type":"Line","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-04944a0c"},{"deprecated":false,"digest":{"function_hash":"199273587027778294311983141165845195954","length":489},"target":{"function":"onSubmit","file":"server-core/src/main/java/io/onedev/server/web/component/markdown/InsertUrlPanel.java"},"signature_type":"Function","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-1b84571f"},{"deprecated":false,"digest":{"function_hash":"231174408872123106262615563794215877225","length":13377},"target":{"function":"onInitialize","file":"server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"},"signature_type":"Function","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-4c6ad312"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["71490945039762648379486463227422793854","326424146246282608083812845309723917773","323025613690465624190610275038974409218","137813809456971632981783742077610999066","163551665889883379003005440255489964254","111510506616405719481430058902374841173","111598306767407879490661511495796334752","198058465009569683240728768469972106180"]},"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"},"signature_type":"Line","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-5b4279d9"},{"deprecated":false,"digest":{"function_hash":"216067098496503674622838607151643821721","length":1518},"target":{"function":"uploadFiles","file":"server-core/src/main/java/io/onedev/server/web/page/project/blob/ProjectBlobPage.java"},"signature_type":"Function","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-7edc56e8"},{"deprecated":false,"digest":{"function_hash":"164796192835544860218010015932048152700","length":967},"target":{"function":"respond","file":"server-core/src/main/java/io/onedev/server/web/component/markdown/MarkdownEditor.java"},"signature_type":"Function","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-923e5fa3"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["296563230502315059761295015935772625794","298741300719722805911965576311254977537","41216816378215337085423341808433100551","180216113435124579434363347027932354379","309980154869000824139597034724917227595","170205935300670596839733923114339707297","43530206946221354747395546014537666143","183298173509185813505720235553199240660"]},"target":{"file":"server-core/src/main/java/io/onedev/server/web/component/markdown/InsertUrlPanel.java"},"signature_type":"Line","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-c85b300b"},{"deprecated":false,"digest":{"function_hash":"239357163326393088114838846454917834193","length":5463},"target":{"function":"newUploadPanel","file":"server-core/src/main/java/io/onedev/server/web/component/markdown/InsertUrlPanel.java"},"signature_type":"Function","source":"https://github.com/theonedev/onedev/commit/0c060153fb97c0288a1917efdb17cc426934dacb","signature_version":"v1","id":"CVE-2021-21245-ca0ee28b"}],"vanir_signatures_modified":"2026-04-12T01:00:57Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21245.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}