Login Sign Up

CVE-2021-43290

9.8 CRITICAL
Path Traversal

📋 TL;DR

This vulnerability allows an attacker who has compromised a GoCD agent to upload malicious files to a GoCD server directory. While they can control the filename, the directory location is restricted. This affects all GoCD installations before version 21.3.0.

💻 Affected Systems

Products:
  • ThoughtWorks GoCD
Versions: All versions before 21.3.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. Requires at least one compromised GoCD agent to exploit.

📦 What is this software?

Gocd by Thoughtworks

View all CVEs affecting Gocd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to arbitrary code execution, data exfiltration, and lateral movement within the infrastructure.

🟠

Likely Case

Server compromise allowing attackers to execute arbitrary code, manipulate pipelines, and access sensitive configuration data.

🟢

If Mitigated

Limited impact if proper network segmentation and agent security controls are in place, preventing initial agent compromise.

🌐 Internet-Facing: MEDIUM - Requires initial agent compromise which may be more difficult on internet-facing systems with proper hardening.
🏢 Internal Only: HIGH - Internal systems often have less restrictive controls, making agent compromise more likely and enabling lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires initial compromise of a GoCD agent. The vulnerability chain is well-documented in public research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.3.0 and later

Vendor Advisory: https://www.gocd.org/releases/#21-3-0

Restart Required: Yes

Instructions:

1. Backup your GoCD configuration and data. 2. Download GoCD 21.3.0 or later from official sources. 3. Stop the GoCD server. 4. Install the new version following platform-specific instructions. 5. Restart the GoCD server. 6. Verify all agents are upgraded to compatible versions.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate GoCD agents from sensitive server directories using network controls

Agent Security Hardening

all

Implement strict access controls and monitoring on GoCD agents to prevent initial compromise

🧯 If You Can't Patch

  • Implement strict network segmentation between GoCD agents and servers
  • Enhance monitoring and logging on all GoCD agents for signs of compromise

🔍 How to Verify

Check if Vulnerable:

Check GoCD server version. If version is below 21.3.0, the system is vulnerable.

Check Version:

gocd-server --version or check server administration interface

Verify Fix Applied:

Verify GoCD server version is 21.3.0 or higher and check that file upload restrictions are properly enforced.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized file upload attempts from agents
  • Unusual agent behavior or connections
  • File system modifications in GoCD server directories

Network Indicators:

  • Unusual traffic patterns between agents and server
  • File transfer attempts to restricted server directories

SIEM Query:

source="gocd" AND (event="file_upload" OR event="agent_compromise")

📊 Metadata

CVE ID: CVE-2021-43290
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: April 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43290, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)