cvedb.io
CVE-2022-39208
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2022-09-13T19:15:13.283 · Last modified 2026-06-17T04:57:55.057

Summary

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability can be used by unauthenticated attackers to leak all project files of any project. Since project IDs are incremental, an attacker could iterate through them and leak all project data. This issue has been resolved in version 7.3.0 and users are advised to upgrade. There are no known workarounds for this issue.

Affected products

onedev_project — onedev

Does this affect you?

Add your gear to cvedb and we'll alert you only when onedev_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.