CVE-2022-39206: Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker...

Description

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.

Metrics

CVSS 3.1

9.9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

1.65%

73.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-610

Affected Software

Vendor	Product	Versions
Onedev Project	Onedev	< 7.3.0

References

https://blog.sonarsource.com/onedev-remote-code-execution/Exploit, Third Party Advisory
https://github.com/theonedev/onedev/commit/0052047a5b5095ac6a6b4a73a522d0272fec3a22Patch, Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-gjq9-4xx9-cr3qThird Party Advisory
https://blog.sonarsource.com/onedev-remote-code-execution/Exploit, Third Party Advisory
https://github.com/theonedev/onedev/commit/0052047a5b5095ac6a6b4a73a522d0272fec3a22Patch, Third Party Advisory
https://github.com/theonedev/onedev/security/advisories/GHSA-gjq9-4xx9-cr3qThird Party Advisory

Timeline

Published: Sep 13, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-39206?

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.

How severe is CVE-2022-39206?

CVE-2022-39206 has a CVSS score of 9.9/10 (CRITICAL severity). The EPSS model estimates a 1.65% probability of exploitation in the next 30 days.

How do I fix CVE-2022-39206?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.