Skip to main content

Gocd CVE-2021-44659

CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2021-12-22 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 22, 2021 - 18:15 nvd
CRITICAL 9.8

DescriptionNVD

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests

AnalysisAI

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests Affected products include: Thoughtworks Gocd. Version information: version 21.3.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

More in Gocd

View all
CVE-2022-39311 HIGH
8.8 Oct 14

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2022-29184 HIGH
8.8 May 20

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2021-25924 HIGH
8.8 Apr 01

In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/

CVE-2022-24832 MEDIUM
6.8 Apr 11

GoCD is an open source a continuous delivery server. Rated medium severity (CVSS 6.8), this vulnerability is remotely ex

CVE-2022-39310 MEDIUM
6.5 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2022-39309 MEDIUM
6.5 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2024-28866 MEDIUM
6.1 May 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-29183 MEDIUM
6.1 May 20

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-39308 MEDIUM
5.9 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no a

CVE-2022-36088 MEDIUM
5.5 Sep 07

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Thi

CVE-2023-28629 MEDIUM
5.4 Mar 27

GoCD is an open source continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely expl

CVE-2022-29182 MEDIUM
5.4 May 20

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no a

Share

CVE-2021-44659 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy