Vulnerability Details : CVE-2022-39206
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.
Products affected by CVE-2022-39206
- cpe:2.3:a:onedev_project:onedev:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39206
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39206
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
NIST | |
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2022-39206
-
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-39206
-
https://github.com/theonedev/onedev/security/advisories/GHSA-gjq9-4xx9-cr3q
CI/CD Docker Escape · Advisory · theonedev/onedev · GitHubThird Party Advisory
-
https://github.com/theonedev/onedev/commit/0052047a5b5095ac6a6b4a73a522d0272fec3a22
Fix the docker sock mount security vulnerability · theonedev/onedev@0052047 · GitHubPatch;Third Party Advisory
-
https://blog.sonarsource.com/onedev-remote-code-execution/
Securing Developer Tools: OneDev Remote Code ExecutionExploit;Third Party Advisory
Jump to