Impact
GoCD versions before 21.3.0 are vulnerable to a path traversal vulnerability during artifact uploads from an agent to the GoCD Server, allowing a file of arbitrary name to be uploaded to directory outside the expected location, but with a final directory name that is server-determined and the attacker cannot control. The agent would need first to have been compromised by the attacker, allowing access to the credentials the agent uses to authenticate with the server.
This is a variant of vulnerability GHSA-7w55-g4hv-8v7w / CVE-2021-43289.
Patches
Fixed in GoCD 21.3.0.
Workarounds
None known.
References
For more information
If you have any questions or comments about this advisory:
thomas-chauchefoin-sonarsource Analyst
paul-gerste-sonarsource Analyst
Impact
GoCD versions before 21.3.0 are vulnerable to a path traversal vulnerability during artifact uploads from an agent to the GoCD Server, allowing a file of arbitrary name to be uploaded to directory outside the expected location, but with a final directory name that is server-determined and the attacker cannot control. The agent would need first to have been compromised by the attacker, allowing access to the credentials the agent uses to authenticate with the server.
This is a variant of vulnerability GHSA-7w55-g4hv-8v7w / CVE-2021-43289.
Patches
Fixed in GoCD 21.3.0.
Workarounds
None known.
References
For more information
If you have any questions or comments about this advisory: