Full Report
OneSev is a self-hosted Git server with many other features like CI/CD, code search and many other things. Since it is open source, this was a good target for an audit. A user is allowed to set webhooks, which must be provided a URL, with event data in its body. The URL is not restricted at all, allowing for the server to call itself on an internal IP. The first vulnerability the author found was a Server Side Request Forgery (SSRF) bug; a very limited one at that. There was an internal authentication check on the server. This was done by seeing if the X-Forwarded-For header was set to 127.0.0.1. If this is there, then some access control checks are completely bypassed. This header can be spoofed or made by the SSRF. Using the auth bypass on push events, arbitrary environmental variables and commands can be specified. Alas, this had safeguards against command injection and argument injection but NOT messing with the ENV variables. By setting specific GIT environmental variables, havoc can be caused. The variable GIT_TRACE_SETUP allows for verbose output to a file, with drawbacks. First, it would only append to existing files NOT overwrite them. Second, only parts of the debugging output are controlled by us. To get around this, the attacker noticed bash scripts used by the service that could be appended to. By creating a special directory and referencing this file, the output could be included to have a bash command put into the script. OneDev recommends starting the server with access to a Docker socket to enable its Docker-based CI/CD pipelines. If the OneDev server is hosted in a Docker container itself, this is recommended to be done by mounting the host's Docker socket into the OneDev container. By making requests to the Docker socket, it is trivial to escalate permissions by using mount and privileged onto the main host. This is almost a security vulnerability by design. Overall, good post with concrete bugs. I do wish examples of the exact requests made for the vulnerabilities were shown though.
Analysis Summary
# Vulnerability: Combined Vulnerabilities Leading to RCE and Container Escape in OneDev
## CVE Details
- CVE ID: CVE-2022-39205, CVE-2022-39206, CVE-2022-39207, CVE-2022-39208
- CVSS Score: (Specific scores are not fully detailed for all, but the impact suggests High/Critical severity, particularly for RCE and Docker Escape)
- CWE: Multiple (CWE-918 and others implicitly)
## Affected Systems
- Products: OneDev (self-hosted Git server)
- Versions: Up to and including Version 7.2.9
- Configurations: Any instance where low-privileged users can create configured webhooks, and especially those configured with the host's Docker socket mounted into the OneDev container.
## Vulnerability Description
Multiple vulnerabilities were discovered that could be chained together, primarily requiring authentication as a regular user, though one vulnerability did not require authentication.
1. **SSRF (No CVE assigned):** Webhook functionality allows setting an arbitrary URL, enabling Server-Side Request Forgery (SSRF) against internal hosts.
2. **Access Control Bypass Leading to RCE (CVE-2022-39205):** The SSRF could target an internal validation endpoint for push events. This endpoint relied on checking if the `X-Forwarded-For` header was set to `127.0.0.1` for access control. By spoofing this header via the SSRF, attackers bypassed internal checks. This bypass, combined with the event payload, allowed specifying arbitrary environment variables (specifically `GIT_TRACE_SETUP`) during Git command execution, leading to RCE via file appending to system/bash scripts referenced by the debugger output.
3. **Docker Escape (CVE-2022-39206):** If the OneDev server is containerized and the host's Docker socket is mounted into the container (a recommended practice for CI/CD), the RCE or other low-privileged access could be leveraged to interact with the host's Docker socket, allowing for trivial escalation to full host system control (e.g., using `mount` and `privileged` operations).
4. **Persistent Cross-Site Scripting (CVE-2022-39207)**
5. **Git Repository Disclosure (CVE-2022-39208):** Exploitable without authentication.
## Exploitation
- Status: PoC available (Implied by detailed findings, but exact PoC requests are not shown in the summary). The chain requires authentication, except CVE-2022-39208.
- Complexity: Low/Medium (Requires authentication for the RCE chain, but the execution steps leveraging environment variables and bash scripts are relatively straightforward once the access bypass is achieved).
- Attack Vector: Network (Requires network access to the service).
## Impact
- Confidentiality: High (Arbitrary code execution allows reading/exfiltrating any system data).
- Integrity: Critical (Ability to modify source code, build artifacts, or deploy malicious code, enabling supply chain attacks).
- Availability: High (Ability to cause service outages or compromise the system entirely).
## Remediation
### Patches
- Update to **OneDev Version 7.3.0 or later**. (Fixes were released very quickly, within one day of confirmation).
### Workarounds
- **Avoid trusting `X-Forwarded-For` headers blindly** unless strict controls are in place (make trust opt-in).
- **Restrict Host Docker Socket Access:** Ensure the host's Docker socket is **not** mounted into the OneDev container, or properly restrict which users can access it if mounting is necessary. Use proxies like `docker-socket-proxy` to limit exposed functionality if the socket must be exposed.
## Detection
- **Indicators of Compromise:** Look for unusual HTTP requests referencing internal IPs via webhooks, unexpected environment variables (`GIT_TRACE_SETUP`) being set during push events, or abnormal file modifications traced back to OneDev process activity or attempts to interact with the Docker daemon socket.
## References
- Vendor advisory: (Implied fix released in 7.3.0)
- Relevant links: hxxps[:]//blog[.]sonarsource[.]com/securing-developer-tools-onedev-remote-code-execution/