How severe is CVE-2021-21250?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2021-21250?

This is classified as CWE-538, which is a common weakness in software security.

CVE-2021-21250

MEDIUM Year: 2021

CVSS v3 Score

6.5

Medium

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-538

View all →

Vulnerability Description

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which may lead to arbitrary file read. When BuildSpec is provided in XML format, the spec is processed by XmlBuildSpecMigrator.migrate(buildSpecString); which processes the XML document without preventing the expansion of external entities. These entities can be configured to read arbitrary files from the file system and dump their contents in the final XML document to be migrated. If the files are dumped in properties included in the YAML file, it will be possible for an attacker to read them. If not, it is possible for an attacker to exfiltrate the contents of these files Out Of Band. This issue was addressed in 4.0.3 by ignoring ENTITY instructions in xml file.

CVE-2017-16770

MEDIUM

CVSS:6.5(Medium)

File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain ...

CWE-5382017

CVE-2018-11798

MEDIUM

CVSS:6.5(Medium)

The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the...

CWE-5382018

CVE-2019-7618

MEDIUM

CVSS:6.5(Medium)

A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local file...

CWE-5382019

CVE-2023-4595

MEDIUM

CVSS:6.5(Medium)

An information exposure vulnerability has been found, the exploitation of which could allow a remote user to retrieve sensitive information stored on the server such as credential files, configuration...

CWE-5382023

CVE-2024-22045

MEDIUM

CVSS:6.5(Medium)

A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are ...

CWE-5382024

CVE-2025-0194

MEDIUM

CVSS:6.5(Medium)

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.4 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. Under certain conditions,...

CWE-5382025

CVE-2021-21250

Vulnerability Description

Related Vulnerabilities

CVE-2017-16770

CVE-2018-11798

CVE-2019-7618

CVE-2023-4595

CVE-2024-22045

CVE-2025-0194