CVE-2021-21242 | Pre-Auth Unsafe Deserialization on AttachmentUploadServet
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization
Conclusion & alert: CVE-2021-21242 is rated High Risk (79.8/100): CVSS Critical severity, with high exploitation likelihood (EPSS 74.19%, 99th percentile).Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +33.82% over the last day, indicating growing attacker interest.Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2021-21242
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).