This directory contains all projects, including their bare git repos and build artifacts. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users.
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the ``. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. No arbitrary file content could be leaked. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. Tauri is a framework for building binaries for all major desktop platforms. Improper validation of integrity check vulnerability in Smart Switch PC prior to version 3 allows local attackers to delete arbitrary directory using directory junction. Improper validation of integrity check vulnerability in Samsung Kies prior to version 2.4 allows local attackers to delete arbitrary directory using directory junction. directory traversal to read arbitrary files, as exploited in the wild in June 2022. UniSharp laravel-filemanager (aka Laravel Filemanager) through 2.5.1 allows download?working_dir=%2F.
0 kommentar(er)
