CVE-2021-43287
📋 TL;DR
CVE-2021-43287 is a critical information disclosure vulnerability in ThoughtWorks GoCD's business continuity add-on. Unauthenticated attackers can exploit this flaw to access all secrets stored on the GoCD server, including API keys, passwords, and credentials. All GoCD installations with versions before 21.3.0 are affected by this default-enabled vulnerability.
💻 Affected Systems
- ThoughtWorks GoCD
📦 What is this software?
Gocd by Thoughtworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all secrets stored in GoCD, leading to lateral movement, data exfiltration, and full pipeline takeover across connected systems.
Likely Case
Attackers steal sensitive credentials and secrets, enabling unauthorized access to downstream systems, repositories, and deployment targets.
If Mitigated
Limited impact if secrets are regularly rotated and access controls restrict what attackers can do with stolen credentials.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.3.0 and later
Vendor Advisory: https://www.gocd.org/releases/#21-3-0
Restart Required: Yes
Instructions:
1. Backup your GoCD configuration and data. 2. Download GoCD 21.3.0 or later from official sources. 3. Stop GoCD service. 4. Install the new version following vendor documentation. 5. Restart GoCD service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable Business Continuity Add-on
allTemporarily disable the vulnerable business continuity add-on to prevent exploitation.
Edit GoCD configuration to set 'business_continuity.enabled: false'
Network Access Control
allRestrict network access to GoCD server to trusted IPs only.
Configure firewall rules to allow only authorized IPs to access GoCD ports
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit access to GoCD server
- Rotate all secrets stored in GoCD immediately and monitor for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check GoCD version via web interface or configuration files. If version is below 21.3.0, system is vulnerable.Check Version:
Check GoCD web interface dashboard or examine server configuration files for version information.Verify Fix Applied:
After patching, verify version is 21.3.0 or higher and test that business continuity endpoint no longer leaks secrets.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to business continuity endpoints
- Unauthenticated requests to /go/add-on/business-continuity/api/*
Network Indicators:
- HTTP requests to business continuity endpoints from untrusted sources
- Unusual data exfiltration patterns
SIEM Query:
source="gocd" AND (uri_path="/go/add-on/business-continuity/api/*" OR user_agent="*unauthenticated*")🔗 References
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c
- https://www.gocd.org/releases/#21-3-0
- https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover
- https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c
- https://www.gocd.org/releases/#21-3-0
