Skip to main content

Gocd CVE-2021-25924

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2021-04-01 vulnerabilitylab@mend.io
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 01, 2021 - 18:15 nvd
HIGH 8.8

DescriptionNVD

In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the /go/api/config/backup endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.

AnalysisAI

In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the /go/api/config/backup endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the /go/api/config/backup endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field. Affected products include: Thoughtworks Gocd.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

More in Gocd

View all
CVE-2021-44659 CRITICAL POC
9.8 Dec 22

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action

CVE-2022-39311 HIGH
8.8 Oct 14

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2022-29184 HIGH
8.8 May 20

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2022-24832 MEDIUM
6.8 Apr 11

GoCD is an open source a continuous delivery server. Rated medium severity (CVSS 6.8), this vulnerability is remotely ex

CVE-2022-39310 MEDIUM
6.5 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2022-39309 MEDIUM
6.5 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2024-28866 MEDIUM
6.1 May 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-29183 MEDIUM
6.1 May 20

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-39308 MEDIUM
5.9 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no a

CVE-2022-36088 MEDIUM
5.5 Sep 07

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Thi

CVE-2023-28629 MEDIUM
5.4 Mar 27

GoCD is an open source continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely expl

CVE-2022-29182 MEDIUM
5.4 May 20

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no a

Share

CVE-2021-25924 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy