CVE-2022-39206

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*

History

22 Sep 2022, 20:15

Type Values Removed Values Added
References
  • (MISC) https://blog.sonarsource.com/onedev-remote-code-execution/ -

16 Sep 2022, 02:39

Type Values Removed Values Added
CPE cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.9
First Time Onedev Project
Onedev Project onedev
References (CONFIRM) https://github.com/theonedev/onedev/security/advisories/GHSA-gjq9-4xx9-cr3q - (CONFIRM) https://github.com/theonedev/onedev/security/advisories/GHSA-gjq9-4xx9-cr3q - Third Party Advisory
References (MISC) https://github.com/theonedev/onedev/commit/0052047a5b5095ac6a6b4a73a522d0272fec3a22 - (MISC) https://github.com/theonedev/onedev/commit/0052047a5b5095ac6a6b4a73a522d0272fec3a22 - Patch, Third Party Advisory

13 Sep 2022, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-09-13 19:15

Updated : 2022-09-22 20:15


NVD link : CVE-2022-39206

Mitre link : CVE-2022-39206


JSON object : View

Products Affected

onedev_project

  • onedev
CWE
CWE-610

Externally Controlled Reference to a Resource in Another Sphere