Pre-Auth SSTI via Bean validation message tampering

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, There is a vulnerability that enabled pre-auth server side template injection via Bean validation message tampering. Full details in the reference GHSA. This issue was fixed in 4.0.3 by disabling validation interpolation completely.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

输出中的特殊元素转义处理不恰当(注入)

Theonedev Onedev 代码代码注入漏洞

Theonedev Onedev是Theonedev团队的一个基于JAVA的多合一DevOps平台。该平台支持容器构建、编排、CI、Git管理、团队协作等功能，帮助开发者构建一个简单、功能强大的开发平台。 Theonedev Onedev 4.0.3 存在代码注入漏洞，该漏洞源于通过篡改Bean验证消息启用了预认证服务器端模板注入。

N/A

N/A