Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/theonedev/onedev/commit/d67dd9686897fe5e4ab881d749464aa7c06a68e5 | Patch Third Party Advisory |
https://github.com/theonedev/onedev/security/advisories/GHSA-jf5c-9r77-3j5j | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-02-07T23:25:11.397Z
Updated:
Reserved: 2023-01-30T14:43:33.706Z
Link: CVE-2023-24828
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-02-08T00:15:08.990
Modified: 2023-02-16T18:05:27.967
Link: CVE-2023-24828
JSON object: View
Redhat Information
No data.
CWE