GoCD Information Disclosure

high Web App Scanning Plugin ID 113952

Synopsis

GoCD Information Disclosure

Description

ThoughtWorks GoCD is an open source continuous integration and development software (CI/CD) used to build, deploy and test software projects. GoCD versions 20.6.x to 21.2.0 suffer from an information disclosure in its business continuity add-on. A remote and unauthenticated attacker can leverage this vulnerability to retrieve all secrets known to the GoCD server.

Solution

Upgrade to GoCD version 21.3.0 or later.

See Also

https://www.gocd.org/

https://www.sonarsource.com/blog/gocd-pre-auth-pipeline-takeover/

Plugin Details

Severity: High

ID: 113952

Type: remote

Published: 6/9/2023

Updated: 6/9/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-43287

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: CVE-2021-43287

Vulnerability Information

CPE: cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/26/2021

Vulnerability Publication Date: 10/27/2021

Reference Information

CVE: CVE-2021-43287