Vulnerability Details CVE-2021-43286
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.029
EPSS Ranking 85.8%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
- https://blog.sonarsource.com/gocd-vulnerability-chain
- https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42
- https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b
- https://www.gocd.org/releases/#21-3-0
- https://blog.sonarsource.com/gocd-vulnerability-chain
- https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42
- https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b
- https://www.gocd.org/releases/#21-3-0
Products affected by CVE-2021-43286
-
cpe:2.3:a:thoughtworks:gocd:14.2.0
-
cpe:2.3:a:thoughtworks:gocd:14.3.0
-
cpe:2.3:a:thoughtworks:gocd:14.4.0
-
cpe:2.3:a:thoughtworks:gocd:15.1.0
-
cpe:2.3:a:thoughtworks:gocd:15.2.0
-
cpe:2.3:a:thoughtworks:gocd:15.3.0
-
cpe:2.3:a:thoughtworks:gocd:15.3.1
-
cpe:2.3:a:thoughtworks:gocd:16.1.0
-
cpe:2.3:a:thoughtworks:gocd:16.10.0
-
cpe:2.3:a:thoughtworks:gocd:16.11.0
-
cpe:2.3:a:thoughtworks:gocd:16.12.0
-
cpe:2.3:a:thoughtworks:gocd:16.2.0
-
cpe:2.3:a:thoughtworks:gocd:16.2.1
-
cpe:2.3:a:thoughtworks:gocd:16.3.0
-
cpe:2.3:a:thoughtworks:gocd:16.4.0
-
cpe:2.3:a:thoughtworks:gocd:16.5.0
-
cpe:2.3:a:thoughtworks:gocd:16.6.0
-
cpe:2.3:a:thoughtworks:gocd:16.7.0
-
cpe:2.3:a:thoughtworks:gocd:16.8.0
-
cpe:2.3:a:thoughtworks:gocd:16.9.0
-
cpe:2.3:a:thoughtworks:gocd:17.1.0
-
cpe:2.3:a:thoughtworks:gocd:17.10.0
-
cpe:2.3:a:thoughtworks:gocd:17.11.0
-
cpe:2.3:a:thoughtworks:gocd:17.12.0
-
cpe:2.3:a:thoughtworks:gocd:17.2.0
-
cpe:2.3:a:thoughtworks:gocd:17.3.0
-
cpe:2.3:a:thoughtworks:gocd:17.4.0
-
cpe:2.3:a:thoughtworks:gocd:17.5.0
-
cpe:2.3:a:thoughtworks:gocd:17.6.0
-
cpe:2.3:a:thoughtworks:gocd:17.7.0
-
cpe:2.3:a:thoughtworks:gocd:17.8.0
-
cpe:2.3:a:thoughtworks:gocd:17.9.0
-
cpe:2.3:a:thoughtworks:gocd:18.1.0
-
cpe:2.3:a:thoughtworks:gocd:18.10.0
-
cpe:2.3:a:thoughtworks:gocd:18.11.0
-
cpe:2.3:a:thoughtworks:gocd:18.12.0
-
cpe:2.3:a:thoughtworks:gocd:18.2.0
-
cpe:2.3:a:thoughtworks:gocd:18.3.0
-
cpe:2.3:a:thoughtworks:gocd:18.4.0
-
cpe:2.3:a:thoughtworks:gocd:18.5.0
-
cpe:2.3:a:thoughtworks:gocd:18.6.0
-
cpe:2.3:a:thoughtworks:gocd:18.7.0
-
cpe:2.3:a:thoughtworks:gocd:18.8.0
-
cpe:2.3:a:thoughtworks:gocd:18.9.0
-
cpe:2.3:a:thoughtworks:gocd:19.1.0
-
cpe:2.3:a:thoughtworks:gocd:19.10.0
-
cpe:2.3:a:thoughtworks:gocd:19.11.0
-
cpe:2.3:a:thoughtworks:gocd:19.12.0
-
cpe:2.3:a:thoughtworks:gocd:19.2.0
-
cpe:2.3:a:thoughtworks:gocd:19.3.0
-
cpe:2.3:a:thoughtworks:gocd:19.4.0
-
cpe:2.3:a:thoughtworks:gocd:19.5.0
-
cpe:2.3:a:thoughtworks:gocd:19.6.0
-
cpe:2.3:a:thoughtworks:gocd:19.7.0
-
cpe:2.3:a:thoughtworks:gocd:19.8.0
-
cpe:2.3:a:thoughtworks:gocd:19.9.0
-
cpe:2.3:a:thoughtworks:gocd:20.1.0
-
cpe:2.3:a:thoughtworks:gocd:20.10.0
-
cpe:2.3:a:thoughtworks:gocd:20.2.0
-
cpe:2.3:a:thoughtworks:gocd:20.3.0
-
cpe:2.3:a:thoughtworks:gocd:20.4.0
-
cpe:2.3:a:thoughtworks:gocd:20.5.0
-
cpe:2.3:a:thoughtworks:gocd:20.6.0
-
cpe:2.3:a:thoughtworks:gocd:20.7.0
-
cpe:2.3:a:thoughtworks:gocd:20.8.0
-
cpe:2.3:a:thoughtworks:gocd:20.9.0
-
cpe:2.3:a:thoughtworks:gocd:21.1.0
-
cpe:2.3:a:thoughtworks:gocd:21.2.0