CVE-2021-25924 – CVE-2021-25924 is a Cross-Site Request Forgery ... (How to Fix)

Q: What is the severity of CVE-2021-25924?

CVE-2021-25924 has a CVSS score of 8.8 (HIGH). CVE-2021-25924 is a Cross-Site Request Forgery vulnerability in GoCD's backup configuration endpoint that allows attackers to trick authenticated users into executing unauthorized actions. When exploited, it can modify backup settings or execute arbitrary system commands via the post_backup_script field. This affects GoCD administrators and users with access to vulnerable versions.

📋 TL;DR

CVE-2021-25924 is a Cross-Site Request Forgery vulnerability in GoCD's backup configuration endpoint that allows attackers to trick authenticated users into executing unauthorized actions. When exploited, it can modify backup settings or execute arbitrary system commands via the post_backup_script field. This affects GoCD administrators and users with access to vulnerable versions.

💻 Affected Systems

Products:

GoCD

Versions: 19.6.0 to 21.1.0

Operating Systems: All platforms running GoCD

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version range are vulnerable unless custom CSRF protections have been added.

📦 What is this software?

Gocd by Thoughtworks

View all CVEs affecting Gocd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with administrative privileges leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized modification of backup configurations leading to data loss, service disruption, or limited command execution.

🟢

If Mitigated

Failed CSRF attempts logged with no impact if proper CSRF tokens and validation are implemented.

🌐 Internet-Facing: HIGH - Exploitable via malicious links in emails or websites targeting authenticated users.

🏢 Internal Only: MEDIUM - Requires internal user interaction but can still lead to significant impact within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated and click a malicious link, but the attack itself is straightforward once the user is tricked.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.2.0 and later

Vendor Advisory: https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548

Restart Required: Yes

Instructions:

1. Upgrade GoCD to version 21.2.0 or later. 2. Restart the GoCD server. 3. Verify CSRF protection is enabled at the /go/api/config/backup endpoint.

🔧 Temporary Workarounds

Implement CSRF Protection Manually

all

Add CSRF tokens to requests to the backup configuration endpoint if upgrading is not immediately possible.

Custom implementation required - modify GoCD configuration to require CSRF tokens for /go/api/config/backup

Network Segmentation

all

Restrict access to GoCD administration interface to trusted networks only.

Configure firewall rules to limit access to GoCD ports (8153, 8154 by default) to authorized IPs only

🧯 If You Can't Patch

Implement strict access controls and network segmentation to limit exposure
Monitor for suspicious activity at the /go/api/config/backup endpoint and implement WAF rules to block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check GoCD version: if between 19.6.0 and 21.1.0 inclusive, the system is vulnerable. Test by attempting to access /go/api/config/backup without CSRF tokens.

Check Version:

Check GoCD server logs or admin interface for version information, or run: java -jar go.jar --version (if applicable)

Verify Fix Applied:

After upgrading to 21.2.0+, verify that requests to /go/api/config/backup without valid CSRF tokens are rejected with appropriate error responses.

📡 Detection & Monitoring

Log Indicators:

Failed POST requests to /go/api/config/backup with 403 errors indicating CSRF validation failures
Unusual backup configuration changes from unexpected user sessions

Network Indicators:

HTTP POST requests to /go/api/config/backup without Referer headers or CSRF tokens
Multiple rapid requests to backup endpoint from same source

SIEM Query:

source="gocd.log" AND (uri_path="/go/api/config/backup" AND http_method="POST") AND (response_status=200 OR response_status=403)

📊 Metadata

CVE ID: CVE-2021-25924

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: April 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548 Patch,Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C
https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548 Patch,Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25924, you might also want to check these: