CVE-2021-43288

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report...

CVE-2021-43288

Summary: CVE-2021-43288 affects ThoughtWorks GoCD before 21.3.0. If an attacker controls a GoCD Agent, they can inject malicious JavaScript into a failed Job Report, enabling cross‑site scripting in affected dashboards. Affected product/branch: ThoughtWorks GoCD server (versions prior to 21.3.0)....

CVE-2021-43289

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename...

CVE-2021-43289

CVE-2021-43289 affects ThoughtWorks GoCD prior to 21.3.0. If an attacker compromises a GoCD agent, they can upload a malicious file into an arbitrary directory on the GoCD server, without controlling the filename. This indicates an upload path traversal risk at the server side. The issue is addre...

CVE-2021-43290

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control...

CVE-2021-43290

ThoughtWorks GoCD before 21.3.0 is affected. An attacker who gains control of a GoCD agent can upload a malicious file into a server directory, with the file name controllable but the directory placed within an untrusted path. Affected component: GoCD server handling uploaded files; root cause: d...

CVE-2021-43287

An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers...

Design/Logic Flaw

An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers...

CVE-2021-43287

An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers...

CVE-2021-43287

CVE-2021-43287 affects ThoughtWorks GoCD prior to 21.3.0. The vulnerability is an information-disclosure flaw in the default-enabled business-continuity add-on, allowing unauthenticated attackers to leak all secrets known to the GoCD server (e.g., build secrets, encryption keys). The linked sourc...

ThoughtWorks GoCD 命令注入漏洞

ThoughtWorks GoCD is a free and open source CI/CD server from ThoughtWorks, Inc. A command injection vulnerability exists in versions of ThoughtWorks GoCD prior to 21.3.0, which can be exploited by attackers to cause arbitrary command execution...

ThoughtWorks GoCD 路径遍历漏洞

ThoughtWorks GoCD is a free and open source CI/CD server from ThoughtWorks USA. A security vulnerability exists in ThoughtWorks GoCD versions prior to 21.3.0, which can be exploited by an attacker who compromises the GoCD agent to upload malicious files to a directory on the GoCD server...

ThoughtWorks GoCD 跨站脚本漏洞

ThoughtWorks GoCD is a free and open source CI/CD server from ThoughtWorks, Inc. A cross-site scripting vulnerability exists in versions of ThoughtWorks GoCD prior to 21.3.0, which can be exploited by an attacker controlling a GoCD agent to plant malicious JavaScript into a failed job report...

CVE-2022-24832

GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it ca...

Authorization

GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it ca...

CVE-2022-24832

The CVE-2022-24832 issue affects GoCD where the bundled gocd-ldap-authentication-plugin does not properly escape special characters in LDAP usernames when constructing LDAP queries. This can enable an LDAP-authenticated GoCD user to craft and execute malicious queries to infer facts about other L...

CVE-2022-24832 Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames

GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it ca...

CVE-2022-24832 Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames

GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it ca...

CVE-2022-24832 Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames

GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it ca...

GoCD 注入漏洞

GoCd is a continuous delivery server. GoCD suffers from an injection vulnerability that stems from the fact that the gocd-ldap-authentication-plugin included in GoCD Server fails to properly escape special characters when constructing an LDAP query using a username. An attacker could use this...