CVE-2021-44659

Published: Dec 22, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests

Affected (1)

Products: Thoughtworks: Gocd

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Thoughtworks Gocd	Version 21.3.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (8)

https://github.com/Mesh3l911/CVE-2021-44659

Source: cve@mitre.org

Broken LinkExploitThird Party Advisory

https://github.com/gocd/gocd

Source: cve@mitre.org

ProductThird Party Advisory

https://www.gocd.org/

Source: cve@mitre.org

ProductVendor Advisory

https://youtu.be/WW_a3znugl0

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/Mesh3l911/CVE-2021-44659

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkExploitThird Party Advisory

https://github.com/gocd/gocd

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://www.gocd.org/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

https://youtu.be/WW_a3znugl0

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.