Home > Vulnerability Database > CVE-2022-39208

Mend.io Vulnerability Database

CVE-2022-39208

Good to know:

Date: September 13, 2022

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.

Language: Java

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39208

Url: https://github.com/theonedev/onedev/commit/8aa94e0daf8447cdf76d4f27bfda0a85a7ea5822

Url: https://blog.sonarsource.com/onedev-remote-code-execution/

Url: https://github.com/theonedev/onedev/security/advisories/GHSA-h427-rv56-c9h2

Url: https://www.mend.io/vulnerability-database/CVE-2022-39208

Severity Score

7.5

Weakness Type (CWE)

Files or Directories Accessible to External Parties

CWE-552

Top Fix

Upgrade Version

Upgrade to version v7.3.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39208

Good to know:

Date: September 13, 2022

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?