CVE-2021-21250: OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When...

Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.93%

56.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-538

Affected Software

Vendor	Product	Versions
Onedev Project	Onedev	< 4.0.3

References

https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770fPatch, Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2rThird Party Advisory
https://github.com/theonedev/onedev/commit/9196fd795e87dab069b4260a3590a0ea886e770fPatch, Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-9pph-8gfc-6w2rThird Party Advisory

Timeline

Published: Jan 15, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21250?

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

How severe is CVE-2021-21250?

CVE-2021-21250 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.93% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21250?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.