Vulnerability Details CVE-2021-43290
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.047
EPSS Ranking 88.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://blog.sonarsource.com/gocd-vulnerability-chain
- https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595
- https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f
- https://www.gocd.org/releases/#21-3-0
- https://blog.sonarsource.com/gocd-vulnerability-chain
- https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595
- https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f
- https://www.gocd.org/releases/#21-3-0
Products affected by CVE-2021-43290
-
cpe:2.3:a:thoughtworks:gocd:14.2.0
-
cpe:2.3:a:thoughtworks:gocd:14.3.0
-
cpe:2.3:a:thoughtworks:gocd:14.4.0
-
cpe:2.3:a:thoughtworks:gocd:15.1.0
-
cpe:2.3:a:thoughtworks:gocd:15.2.0
-
cpe:2.3:a:thoughtworks:gocd:15.3.0
-
cpe:2.3:a:thoughtworks:gocd:15.3.1
-
cpe:2.3:a:thoughtworks:gocd:16.1.0
-
cpe:2.3:a:thoughtworks:gocd:16.10.0
-
cpe:2.3:a:thoughtworks:gocd:16.11.0
-
cpe:2.3:a:thoughtworks:gocd:16.12.0
-
cpe:2.3:a:thoughtworks:gocd:16.2.0
-
cpe:2.3:a:thoughtworks:gocd:16.2.1
-
cpe:2.3:a:thoughtworks:gocd:16.3.0
-
cpe:2.3:a:thoughtworks:gocd:16.4.0
-
cpe:2.3:a:thoughtworks:gocd:16.5.0
-
cpe:2.3:a:thoughtworks:gocd:16.6.0
-
cpe:2.3:a:thoughtworks:gocd:16.7.0
-
cpe:2.3:a:thoughtworks:gocd:16.8.0
-
cpe:2.3:a:thoughtworks:gocd:16.9.0
-
cpe:2.3:a:thoughtworks:gocd:17.1.0
-
cpe:2.3:a:thoughtworks:gocd:17.10.0
-
cpe:2.3:a:thoughtworks:gocd:17.11.0
-
cpe:2.3:a:thoughtworks:gocd:17.12.0
-
cpe:2.3:a:thoughtworks:gocd:17.2.0
-
cpe:2.3:a:thoughtworks:gocd:17.3.0
-
cpe:2.3:a:thoughtworks:gocd:17.4.0
-
cpe:2.3:a:thoughtworks:gocd:17.5.0
-
cpe:2.3:a:thoughtworks:gocd:17.6.0
-
cpe:2.3:a:thoughtworks:gocd:17.7.0
-
cpe:2.3:a:thoughtworks:gocd:17.8.0
-
cpe:2.3:a:thoughtworks:gocd:17.9.0
-
cpe:2.3:a:thoughtworks:gocd:18.1.0
-
cpe:2.3:a:thoughtworks:gocd:18.10.0
-
cpe:2.3:a:thoughtworks:gocd:18.11.0
-
cpe:2.3:a:thoughtworks:gocd:18.12.0
-
cpe:2.3:a:thoughtworks:gocd:18.2.0
-
cpe:2.3:a:thoughtworks:gocd:18.3.0
-
cpe:2.3:a:thoughtworks:gocd:18.4.0
-
cpe:2.3:a:thoughtworks:gocd:18.5.0
-
cpe:2.3:a:thoughtworks:gocd:18.6.0
-
cpe:2.3:a:thoughtworks:gocd:18.7.0
-
cpe:2.3:a:thoughtworks:gocd:18.8.0
-
cpe:2.3:a:thoughtworks:gocd:18.9.0
-
cpe:2.3:a:thoughtworks:gocd:19.1.0
-
cpe:2.3:a:thoughtworks:gocd:19.10.0
-
cpe:2.3:a:thoughtworks:gocd:19.11.0
-
cpe:2.3:a:thoughtworks:gocd:19.12.0
-
cpe:2.3:a:thoughtworks:gocd:19.2.0
-
cpe:2.3:a:thoughtworks:gocd:19.3.0
-
cpe:2.3:a:thoughtworks:gocd:19.4.0
-
cpe:2.3:a:thoughtworks:gocd:19.5.0
-
cpe:2.3:a:thoughtworks:gocd:19.6.0
-
cpe:2.3:a:thoughtworks:gocd:19.7.0
-
cpe:2.3:a:thoughtworks:gocd:19.8.0
-
cpe:2.3:a:thoughtworks:gocd:19.9.0
-
cpe:2.3:a:thoughtworks:gocd:20.1.0
-
cpe:2.3:a:thoughtworks:gocd:20.10.0
-
cpe:2.3:a:thoughtworks:gocd:20.2.0
-
cpe:2.3:a:thoughtworks:gocd:20.3.0
-
cpe:2.3:a:thoughtworks:gocd:20.4.0
-
cpe:2.3:a:thoughtworks:gocd:20.5.0
-
cpe:2.3:a:thoughtworks:gocd:20.6.0
-
cpe:2.3:a:thoughtworks:gocd:20.7.0
-
cpe:2.3:a:thoughtworks:gocd:20.8.0
-
cpe:2.3:a:thoughtworks:gocd:20.9.0
-
cpe:2.3:a:thoughtworks:gocd:21.1.0
-
cpe:2.3:a:thoughtworks:gocd:21.2.0