Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
GoCD information disclosure (CVE-2021-43287) - Vulnerability Database

GoCD information disclosure (CVE-2021-43287)

Description

GoCD versions with the Business Continuity add-on contain an information disclosure vulnerability (CVE-2021-43287) that allows unauthenticated remote attackers to access sensitive configuration files and credentials. This vulnerability can be exploited without authentication, enabling attackers to retrieve critical system information that may lead to complete server compromise.

Remediation

Immediately upgrade GoCD to a patched version that addresses CVE-2021-43287. If the Business Continuity add-on is not required, disable or remove it until the upgrade can be completed. After upgrading, rotate all credentials, API tokens, and secrets that may have been exposed, including repository access tokens, deployment keys, and service account credentials. Review access logs for any suspicious activity or unauthorized file access prior to remediation.

References

Pre-Auth Takeover of Build Pipelines in GoCD

Related Vulnerabilities

Trace.axd Detected High
Common tags: Information Disclosure Configuration
Error page web server version disclosure Information
Common tags: Information Disclosure Configuration
JBoss Web Console JMX Invoker High
Common tags: Information Disclosure Configuration
Tomcat status page Low
Common tags: Information Disclosure Configuration
Unprotected phpMyAdmin interface High
Common tags: Information Disclosure Configuration

Severity

High

Classification

CVE-2021-43287
CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure
Configuration