{"containers": {"cna": {"affected": [{"product": "onedev", "vendor": "theonedev", "versions": [{"status": "affected", "version": "<= 4.4.1"}]}], "descriptions": [{"lang": "en", "value": "OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-90", "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-01T17:15:12.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"}], "source": {"advisory": "GHSA-5864-2496-4xjf", "discovery": "UNKNOWN"}, "title": "LDAP injection via OneDev may leak some LDAP directory information", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32651", "STATE": "PUBLIC", "TITLE": "LDAP injection via OneDev may leak some LDAP directory information"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "onedev", "version": {"version_data": [{"version_value": "<= 4.4.1"}]}}]}, "vendor_name": "theonedev"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf", "refsource": "CONFIRM", "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"}, {"name": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c", "refsource": "MISC", "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"}]}, "source": {"advisory": "GHSA-5864-2496-4xjf", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.942Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32651", "datePublished": "2021-06-01T17:15:12.000Z", "dateReserved": "2021-05-12T00:00:00.000Z", "dateUpdated": "2024-08-03T23:25:30.942Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*", "matchCriteriaId": "36DF0039-F0C3-4536-98CF-FC08028C065F", "versionEndExcluding": "4.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OneDev is a development operations platform. If the LDAP external authentication mechanism is enabled in OneDev versions 4.4.1 and prior, an attacker can manipulate a user search filter to send forged queries to the application and explore the LDAP tree using Blind LDAP Injection techniques. The specific payload depends on how the User Search Filter property is configured in OneDev. This issue was fixed in version 4.4.2."}, {"lang": "es", "value": "OneDev es una plataforma de operaciones de desarrollo. Si el mecanismo de autenticaci\u00f3n externa LDAP est\u00e1 habilitado en OneDev versiones 4.4.1 y anteriores, un atacante puede manipular un filtro de b\u00fasqueda de usuario para enviar consultas falsas hacia la aplicaci\u00f3n y explorar el LDAP tree usando t\u00e9cnicas de inyecci\u00f3n Blind LDAP. La carga \u00fatil espec\u00edfica depende de c\u00f3mo la propiedad User Search Filter est\u00e1 configurada en OneDev. Este problema fue corregido en versi\u00f3n 4.4.2"}], "id": "CVE-2021-32651", "lastModified": "2024-11-21T06:07:27.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-01T18:15:07.747", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/theonedev/onedev/commit/4440f0c57e440488d7e653417b2547eaae8ad19c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/theonedev/onedev/security/advisories/GHSA-5864-2496-4xjf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-90"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}