CVE-2022-39206 is a vulnerability in OneDev, an open-source, self-hosted Git server that integrates CI/CD and Kanban functionalities. The vulnerability arises when OneDev is configured to use Docker-based job executors. In this setup, the Docker socket (commonly /var/run/docker.sock on Linux) is mounted inside each Docker step container. This socket provides direct control over the Docker daemon on the host machine. Because of this, any user who can define and trigger CI/CD jobs on a project can potentially manipulate the Docker daemon itself. This is a critical security concern because controlling the Docker daemon allows an attacker to break out of container isolation, often leading to root-level access on the host system. The vulnerability is classified under CWE-610, which refers to externally controlled references to resources in another sphere, highlighting the risk of unauthorized access to host resources via containerized environments. Exploitation requires an attacker to have an account on the OneDev instance and permission to create projects, which may be achievable through registration if the instance allows it. Notably, the public instance code.onedev.io had the conditions necessary for remote exploitation, potentially enabling attackers to hijack build pipelines and inject malicious code into Docker images pushed to public repositories like Docker Hub. This could lead to widespread malware distribution. The vulnerability affects all OneDev versions prior to 7.3.0, and users are strongly advised to upgrade to version 7.3.0 or later. There are no known workarounds, making patching the only effective mitigation. No known exploits have been reported in the wild to date, but the risk remains significant due to the nature of the vulnerability and the privileges it can grant.

For European organizations using OneDev with Docker-based job executors, this vulnerability poses a substantial risk to the confidentiality, integrity, and availability of their build infrastructure. An attacker exploiting this flaw could gain root access to the host machines running OneDev, allowing them to manipulate build processes, inject malicious code into software artifacts, and potentially compromise downstream systems that consume these artifacts. This could lead to supply chain attacks, data breaches, and service disruptions. The ability to hijack CI/CD pipelines undermines trust in software delivery and can have cascading effects on software development lifecycles. Organizations with sensitive or critical software projects are particularly at risk. Additionally, the lack of workarounds means that until patched, systems remain exposed. The threat is amplified in environments where user registration is open or where many users have project creation permissions, increasing the attack surface. Given the integration of OneDev in development workflows, exploitation could also impact intellectual property confidentiality and operational continuity.

1. Immediate upgrade of all OneDev instances to version 7.3.0 or later is essential to remediate this vulnerability. 2. Restrict user permissions rigorously: limit the ability to create projects and define CI/CD jobs to trusted users only, minimizing the risk of malicious job definitions. 3. Review and harden Docker socket exposure: avoid mounting the Docker socket inside containers unless absolutely necessary. Consider alternative executor configurations that do not expose the Docker daemon directly. 4. Implement network segmentation and host-level security controls to monitor and restrict Docker daemon access. 5. Employ runtime security tools that can detect container breakout attempts and anomalous Docker daemon usage. 6. Audit existing CI/CD pipelines and Docker images for unauthorized changes or suspicious activity, especially if the vulnerable versions were in use. 7. Enforce strong authentication and consider multi-factor authentication to reduce the risk of account compromise. 8. Monitor OneDev logs and Docker daemon logs for unusual activity indicative of exploitation attempts. 9. Educate developers and DevOps teams about the risks of mounting the Docker socket and secure CI/CD practices. These steps, combined with patching, will reduce the likelihood and impact of exploitation.