Vulnerability Details CVE-2021-25924
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 75.1%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 9.3
References
- https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C
- https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C
Products affected by CVE-2021-25924
-
cpe:2.3:a:thoughtworks:gocd:19.10.0
-
cpe:2.3:a:thoughtworks:gocd:19.11.0
-
cpe:2.3:a:thoughtworks:gocd:19.12.0
-
cpe:2.3:a:thoughtworks:gocd:19.6.0
-
cpe:2.3:a:thoughtworks:gocd:19.7.0
-
cpe:2.3:a:thoughtworks:gocd:19.8.0
-
cpe:2.3:a:thoughtworks:gocd:19.9.0
-
cpe:2.3:a:thoughtworks:gocd:20.1.0
-
cpe:2.3:a:thoughtworks:gocd:20.10.0
-
cpe:2.3:a:thoughtworks:gocd:20.2.0
-
cpe:2.3:a:thoughtworks:gocd:20.3.0
-
cpe:2.3:a:thoughtworks:gocd:20.4.0
-
cpe:2.3:a:thoughtworks:gocd:20.5.0
-
cpe:2.3:a:thoughtworks:gocd:20.6.0
-
cpe:2.3:a:thoughtworks:gocd:20.7.0
-
cpe:2.3:a:thoughtworks:gocd:20.8.0
-
cpe:2.3:a:thoughtworks:gocd:20.9.0
-
cpe:2.3:a:thoughtworks:gocd:21.1.0