cbcvebase.
CVE-2021-43287
published 2022-04-14

CVE-2021-43287: An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
26.91%
97.8th percentile
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.

Affected

1 ranges
VendorProductVersion rangeFixed in
thoughtworksgocd< 21.3.021.3.0

Detection & IOCsextracted from sources · hover to see the quote

url/go/add-on/business-continuity/api/plugin?folderName=&pluginName=../../../etc/passwd
path/go/add-on/business-continuity/api/plugin
path/cruise_config
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - cruise_config (SET)"; flow:established,to_server; flowbits:set,ET.gocd.auth; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/cruise_config"; nocase; fast_pattern; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; reference:url,attackerkb.com/topics/ShpnUFlqDz/pre-auth-takeover-of-build-pipelines-in-gocd-cve-2021-43287/rapid7-analysis; classtype:not-suspicious; sid:2034332; rev:4; metadata:created_at 2021_11_02, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT GoCD Authentication Bypass Successful Leak"; flow:established,to_client; flowbits:isset,ET.gocd.auth; http.stat_code; content:"200"; file.data; content:"agentAutoRegisterKey="; nocase; fast_pattern; content:"webhookSecret="; nocase; content:" tokenGenerationKey="; nocase; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; reference:url,attackerkb.com/topics/ShpnUFlqDz/pre-auth-takeover-of-build-pipelines-in-gocd-cve-2021-43287/rapid7-analysis; classtype:attempted-admin; sid:2034333; rev:3; metadata:created_at 2021_11_02, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Nuclei template matches HTTP 200 response with regex 'root:.*:0:0:' indicating successful path traversal via the business-continuity plugin endpoint
  • Successful exploitation leaks GoCD secrets identifiable by response body containing the strings 'agentAutoRegisterKey=', 'webhookSecret=', and 'tokenGenerationKey='
  • Shodan queries can identify exposed GoCD instances: search for http.title 'Create a pipeline - Go' combined with html 'GoCD Version'
  • FOFA queries can identify exposed GoCD instances via title and body content
  • The attack uses path traversal via the 'pluginName' parameter of the business-continuity add-on API, which is enabled by default and requires no authentication
  • Snort/Suricata flowbit ET.gocd.auth is set on GET requests to /cruise_config URI path; a subsequent 200 response containing secret key strings confirms successful exploitation (sid:2034332 + sid:2034333)
  • ·The vulnerable business-continuity add-on is enabled by default in GoCD versions before 21.3.0; no authentication is required to reach the affected endpoint

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.