{"id":"CVE-2024-45309","summary":"OneDev vulnerable to arbitrary file reading for unauthenticated user","details":"OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.","aliases":["GHSA-7wg5-6864-v489"],"modified":"2026-04-16T11:22:41.375114Z","published":"2024-10-21T14:55:18.293Z","database_specific":{"cwe_ids":["CWE-200"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45309.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45309.json"},{"type":"ADVISORY","url":"https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45309"},{"type":"FIX","url":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theonedev/onedev","events":[{"introduced":"0"},{"fixed":"a942e6f26689f95932b6515c5b1ce948845fcc8e"},{"fixed":"4637aaac8c70d41aa789b7fce208b75c6a7b711f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"11.0.9"}]}}],"versions":["2.0-beta-build119","2.0-beta-build120","2.0.0","2.0.4","2.0.5","v10.0.0","v10.1.0","v10.1.1","v10.1.2","v10.1.3","v10.1.4","v10.1.5","v10.2.0","v10.2.1","v10.3.0","v10.3.1","v10.3.2","v10.3.3","v10.4.0","v10.5.1","v10.5.2","v10.6.0","v10.7.0","v10.7.1","v10.7.2","v10.7.3","v10.7.5","v10.7.6","v10.7.7","v10.8.0","v10.9.0","v10.9.1","v10.9.2","v10.9.3","v10.9.4","v10.9.5","v10.9.6","v11.0.0","v11.0.1","v11.0.6","v11.0.7","v11.0.8","v3.0.10","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v4.0.0","v4.0.1","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9","v4.1.0","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.10.3","v4.11.0","v4.2.0","v4.2.1","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.3.0","v4.3.2","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.6.0","v4.6.1","v4.7.0","v4.8.0","v4.8.1","v4.9.0","v4.9.1","v4.9.2","v5.0.0","v5.0.1","v5.1.0","v5.2.0","v5.2.1","v5.2.2","v5.3.0","v5.3.1","v5.3.3","v5.4.0","v6.0.0","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.2.0","v6.2.1","v6.2.2","v6.2.3","v6.2.4","v6.3.0","v6.3.1","v6.3.10","v6.3.11","v6.3.12","v6.3.13","v6.3.2","v6.3.3","v6.3.4","v6.3.5","v6.3.6","v6.3.7","v6.3.8","v6.3.9","v7.0.0","v7.0.1","v7.0.2","v7.0.3","v7.1.0","v7.1.1","v7.1.2","v7.1.3","v7.1.6","v7.1.7","v7.1.8","v7.2.0","v7.2.1","v7.2.2","v7.2.3","v7.2.4","v7.2.5","v7.2.7","v7.2.8","v7.2.9","v7.3.0","v7.3.10","v7.3.11","v7.3.12","v7.3.13","v7.3.14","v7.3.15","v7.3.2","v7.3.3","v7.3.4","v7.3.5","v7.3.6","v7.3.7","v7.3.8","v7.3.9","v7.4.0","v7.4.1","v7.4.10","v7.4.11","v7.4.12","v7.4.13","v7.4.14","v7.4.15","v7.4.16","v7.4.17","v7.4.18","v7.4.19","v7.4.2","v7.4.20","v7.4.21","v7.4.22","v7.4.23","v7.4.24","v7.4.25","v7.4.26","v7.4.27","v7.4.28","v7.4.29","v7.4.3","v7.4.7","v7.4.8","v7.4.9","v7.5.0","v7.5.1","v7.5.2","v7.5.3","v7.6.0","v7.6.1","v7.6.2","v7.7.1","v7.7.12","v7.7.13","v7.7.14","v7.7.2","v7.7.5","v7.8.0","v7.8.1","v7.8.10","v7.8.11","v7.8.12","v7.8.13","v7.8.14","v7.8.15","v7.8.2","v7.8.3","v7.8.4","v7.8.5","v7.8.6","v7.8.7","v7.8.8","v7.8.9","v7.9.0","v7.9.1","v7.9.2","v7.9.3","v7.9.4","v7.9.5","v7.9.6","v7.9.7","v8.0.0","v8.0.1","v8.0.10","v8.0.11","v8.0.12","v8.0.13","v8.0.14","v8.0.15","v8.0.2","v8.0.3","v8.0.4","v8.0.5","v8.0.6","v8.0.7","v8.0.8","v8.0.9","v8.1.0","v8.1.1","v8.1.2","v8.1.3","v8.1.4","v8.1.5","v8.1.6","v8.2.0","v8.2.1","v8.2.2","v8.2.3","v8.2.4","v8.2.5","v8.2.7","v8.2.8","v8.3.0","v8.3.1","v8.3.2","v8.3.3","v8.3.4","v8.3.5","v8.3.6","v8.3.7","v8.3.8","v8.4.0","v8.4.1","v8.4.2","v8.5.0","v8.5.1","v8.5.2","v8.5.3","v8.5.4","v8.5.5","v8.5.6","v8.5.7","v8.5.8","v8.5.9","v8.6.0","v8.6.1","v8.6.10","v8.6.11","v8.6.12","v8.6.2","v8.6.4","v8.6.5","v8.6.6","v8.6.7","v8.6.8","v8.6.9"],"database_specific":{"vanir_signatures":[{"id":"CVE-2024-45309-01b08e8c","deprecated":false,"signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/web/page/project/builds/detail/report/BuildReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["17091801927467545384306456525193501529","2541635229163854035444637766605149349","291075047241802231490866025179967174459","139104403493272573601974535604163061516","166772321430861631005463722869570277612"]}},{"id":"CVE-2024-45309-0bc478a1","deprecated":false,"signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/web/page/project/blob/ProjectBlobPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["289171130462313555727560227688037383079","192059357820091802583552965992015499280","73102332366576608866873224018146845861","334417452817048479684662610576723007098","60222035346619250085230164163515481451","32719433910119696107228462809277574675","7712028294486113002327954263620299389","317192651729026646267714242607305930006"]}},{"id":"CVE-2024-45309-0e1a500c","deprecated":false,"signature_version":"v1","target":{"function":"BuildReportPage","file":"server-core/src/main/java/io/onedev/server/web/page/project/builds/detail/report/BuildReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":110,"function_hash":"57023525199919084228826013778481185342"}},{"id":"CVE-2024-45309-0f07cbfe","deprecated":false,"signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/web/resource/SiteFileResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["116151797399456233086216343259523920990","8490874399407575342932558364225150724","282421150575879856453582398144018322234","97609740887463135121111910957392500105","241631699806302386946645033202559783377","263844033473881126648947047932055533183","102735351307148156438054278943356739233","228436823994691611275383680905817266253","73267013825614844277797330844891889807","187151106564958971392548310590367241655","336694034131629942235733108973194152725","151002385854834560651347031634672496307","92504879292783330536140549310083191428","244712307391152333045783938270026161370","266083016417022382204295511213560885947"]}},{"id":"CVE-2024-45309-1cf18afb","deprecated":false,"signature_version":"v1","target":{"function":"newResourceResponse","file":"server-plugin/server-plugin-report-markdown/src/main/java/io/onedev/server/plugin/report/markdown/MarkdownReportDownloadResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":2278,"function_hash":"19620118711999719594131323105265677088"}},{"id":"CVE-2024-45309-2a7ae0e3","deprecated":false,"signature_version":"v1","target":{"function":"onInitialize","file":"server-plugin/server-plugin-report-html/src/main/java/io/onedev/server/plugin/report/html/HtmlReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":843,"function_hash":"262912815380965936114781903607253147883"}},{"id":"CVE-2024-45309-2dec4e9d","deprecated":false,"signature_version":"v1","target":{"file":"server-plugin/server-plugin-report-markdown/src/main/java/io/onedev/server/plugin/report/markdown/MarkdownReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["50580923492980019222591269545219114412","248006118170568380042916640522853771097","261063069499420970708124407792893440335","318545720795432891426571063229688797634","296475819302433717034067244716162068033","298715911139770158475629635119867667998","143666891076980810016403805188494874522","165948527871905058453093944087471691510","313726163654426510774014820900982753851"]}},{"id":"CVE-2024-45309-3a174a71","deprecated":false,"signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/web/page/project/commits/CommitDetailPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["173522374391769316548645308014842346744","66889739458291965070922399662384918711","284796458395666015448895736455649843117","63650919580486882965091522996946705617","292225263410971582791395882045109606373","172005852200173054207895685883499392145","113032881452011302104275797113017566079","119792368840432735030451705189751244513","315267188380104404230757159645452506743","271988027964159941973690994894884101195","48047142858759354460198979813107426282","200668483486979397619454456998069797816"]}},{"id":"CVE-2024-45309-5c04114a","deprecated":false,"signature_version":"v1","target":{"file":"server-plugin/server-plugin-report-markdown/src/main/java/io/onedev/server/plugin/report/markdown/MarkdownReportDownloadResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["105122656827255158592258863599709865475","145293258974630139118384842369403105815","52603330438202111829384619248118996042","56710568985355727879817625380582362034","75390997116892666099292436930236173970","4894255107594914157106151864310115688","58520932644405994137896761319713017757","67619690202409540051184514761650964957"]}},{"id":"CVE-2024-45309-7d1364b3","deprecated":false,"signature_version":"v1","target":{"function":"newResourceResponse","file":"server-plugin/server-plugin-report-html/src/main/java/io/onedev/server/plugin/report/html/HtmlReportDownloadResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":1614,"function_hash":"121357005763086903392268426707655956638"}},{"id":"CVE-2024-45309-96fa0bd2","deprecated":false,"signature_version":"v1","target":{"file":"server-plugin/server-plugin-report-html/src/main/java/io/onedev/server/plugin/report/html/HtmlReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["155828495288177133946721131541347677745","223804347946140429036630272222445455487","16167384308687402923813154705467349692","333996704505710739034496043243255305418","26175299186877468873977102947017320701","14392235311599850816268324465250745649","151711310309686530521956421923863911531","118905472191421775835145611762369796146","139104403493272573601974535604163061516","264370829900360101885204627882117809030","186940702771926130154612999160321713257","36632392257884667171146124509847470074","241970994203061461815243539659641026964","84020573748494035703310240327436114806","87300764434876137961114032778527420145","73795715605369797055486256119423713066","60329084954036338401628925871527281771","160187111217683822411511211474288829080","222299004953502186618026140802943385015"]}},{"id":"CVE-2024-45309-99268d38","deprecated":false,"signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/web/resource/RawBlobResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["182819112034086036345804507849357263078","282421150575879856453582398144018322234","171451324164341670694386531744819125000","32719433910119696107228462809277574675","7712028294486113002327954263620299389","317192651729026646267714242607305930006"]}},{"id":"CVE-2024-45309-9c02e251","deprecated":false,"signature_version":"v1","target":{"function":"HtmlReportPage","file":"server-plugin/server-plugin-report-html/src/main/java/io/onedev/server/plugin/report/html/HtmlReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":110,"function_hash":"57023525199919084228826013778481185342"}},{"id":"CVE-2024-45309-b5fd078b","deprecated":false,"signature_version":"v1","target":{"function":"newResourceResponse","file":"server-core/src/main/java/io/onedev/server/web/resource/RawBlobResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":3997,"function_hash":"121282398739368989465128258001449193318"}},{"id":"CVE-2024-45309-b702bf9f","deprecated":false,"signature_version":"v1","target":{"file":"server-plugin/server-plugin-report-html/src/main/java/io/onedev/server/plugin/report/html/HtmlReportDownloadResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["105827059447773214203479473042372978566","333193918586193537926867972865454220495","236576289359497243057353981349957053197","237117921381462175541014242587508089057","75390997116892666099292436930236173970","4894255107594914157106151864310115688","58520932644405994137896761319713017757","67619690202409540051184514761650964957"]}},{"id":"CVE-2024-45309-b8b50f83","deprecated":false,"signature_version":"v1","target":{"function":"MarkdownReportPage","file":"server-plugin/server-plugin-report-markdown/src/main/java/io/onedev/server/plugin/report/markdown/MarkdownReportPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":507,"function_hash":"309233666536091412732569069431505845855"}},{"id":"CVE-2024-45309-c70b83a3","deprecated":false,"signature_version":"v1","target":{"function":"newResourceResponse","file":"server-core/src/main/java/io/onedev/server/web/resource/ArtifactResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":3215,"function_hash":"237447230218112417121930009070396536788"}},{"id":"CVE-2024-45309-e3728170","deprecated":false,"signature_version":"v1","target":{"function":"ProjectBlobPage","file":"server-core/src/main/java/io/onedev/server/web/page/project/blob/ProjectBlobPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":1982,"function_hash":"9201479150519095335095433631221615317"}},{"id":"CVE-2024-45309-e9ef4928","deprecated":false,"signature_version":"v1","target":{"function":"CommitDetailPage","file":"server-core/src/main/java/io/onedev/server/web/page/project/commits/CommitDetailPage.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":1494,"function_hash":"80692697868825211719546801260015077735"}},{"id":"CVE-2024-45309-f2512355","deprecated":false,"signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/web/resource/ArtifactResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["90005595637715272356255899175513033809","4894255107594914157106151864310115688","58520932644405994137896761319713017757","67619690202409540051184514761650964957"]}},{"id":"CVE-2024-45309-f59113f4","deprecated":false,"signature_version":"v1","target":{"function":"newResourceResponse","file":"server-core/src/main/java/io/onedev/server/web/resource/SiteFileResource.java"},"source":"https://github.com/theonedev/onedev/commit/4637aaac8c70d41aa789b7fce208b75c6a7b711f","signature_type":"Function","digest":{"length":3511,"function_hash":"226502638786587423212573698111782908027"}}],"vanir_signatures_modified":"2026-04-16T11:22:41Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45309.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}