Observation
The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code.
Impact
Unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. This impacts the confidentiality, integrity, and availability of the data on the server. Attackers could steal intellectual property or inject malicious code in very stealthy ways.
Note that the OneDev dogfooding instance is affected by this. Attackers could have used this to backdoor OneDev itself, which would then be installed by users. This could have been done by manipulating binaries or Docker images, as that instance seems to be in charge of building and publishing these artifacts. Such an attack would be very hard to detect, which increases the potential impact even more.
Patches
7.3.0 or higher. OneDev dogfooding instance is built from scratch with clean code.
Credits
This issue was reported by SonarSource team
Observation
The /git-prereceive-callback endpoint is used by the pre-receive git hook on the server to check for branch protections during a push event. It is only intended to be accessed from localhost, but the check relies on the X-Forwarded-For header. Invoking this endpoint leads to the execution of one of various git commands. The environment variables of this command execution can be controlled via query parameters. This allows attackers to write to arbitrary files, which can in turn lead to the execution of arbitrary code.
Impact
Unauthenticated users can take over a OneDev instance if there is no properly configured reverse proxy. This impacts the confidentiality, integrity, and availability of the data on the server. Attackers could steal intellectual property or inject malicious code in very stealthy ways.
Note that the OneDev dogfooding instance is affected by this. Attackers could have used this to backdoor OneDev itself, which would then be installed by users. This could have been done by manipulating binaries or Docker images, as that instance seems to be in charge of building and publishing these artifacts. Such an attack would be very hard to detect, which increases the potential impact even more.
Patches
7.3.0 or higher. OneDev dogfooding instance is built from scratch with clean code.
Credits
This issue was reported by SonarSource team