{"id":"CVE-2021-21244","details":"OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.","modified":"2026-04-11T23:33:56.036472Z","published":"2021-01-15T20:15:12.097Z","related":["GHSA-vm26-xg39-cfj4"],"references":[{"type":"ADVISORY","url":"https://github.com/theonedev/onedev/security/advisories/GHSA-vm26-xg39-cfj4"},{"type":"FIX","url":"https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theonedev/onedev","events":[{"introduced":"0"},{"fixed":"4bd71941974a1b077e955616d7ba3da6fd21670c"},{"fixed":"4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.3"}]}}],"versions":["2.0-beta-build119","2.0-beta-build120","2.0.0","2.0.4","2.0.5","v3.0.10","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v4.0.0","v4.0.1","v4.0.2"],"database_specific":{"vanir_signatures_modified":"2026-04-11T23:33:56Z","vanir_signatures":[{"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/CoreModule.java","function":"get"},"source":"https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65","signature_version":"v1","signature_type":"Function","id":"CVE-2021-21244-00f1dfb7","digest":{"function_hash":"314345820516131289704848469007129524610","length":105}},{"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/CoreModule.java","function":"configure"},"source":"https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65","signature_version":"v1","signature_type":"Function","id":"CVE-2021-21244-9bf28ea7","digest":{"function_hash":"273615317538706682405484608998595562832","length":7472}},{"deprecated":false,"target":{"file":"server-core/src/main/java/io/onedev/server/CoreModule.java"},"source":"https://github.com/theonedev/onedev/commit/4f5dc6fb9e50f2c41c4929b0d8c5824b2cca3d65","signature_version":"v1","signature_type":"Line","id":"CVE-2021-21244-b046c707","digest":{"line_hashes":["145208361911632134107315593457353159029","283939253622884751924792024688269929394","47811403021720389437033609848088136124","64441979548177091500874682461307828276","194885136040210411584264671351583632863","217384460011324300131371455490280892268","304249122755757553178080581108472414753","223913018099819470493469984824242314602"],"threshold":0.9}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21244.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}