Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2024-45309
PUBLISHEDOneDev vulnerable to arbitrary file reading for unauthenticated user
- Vendor
- theonedev
- Product
- onedev
- Published
- Oct 21, 2024
- EPSS
- 89.0% · 100% pctl
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot sensor data — is available programmatically for VM, SOC, and CTI workflows.
Description
OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.
Weaknesses (CWE)
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVSS scores
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitation status
Exploited in the wild
Recorded 2026-06-05 00:00:00 UTC · Source
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| The Shadowserver (via CIRCL) First | 2026-06-05 00:00 UTC |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-45309.yaml | Apr 25, 2025 |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Detected by Nuclei
-
Added to KEVIntel