CVE-2021-25924
N/A
N/A
Summary
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the /go/api/config/backup endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | gocd | 19.6.0, 19.7.0, 19.8.0, 19.9.0, 19.10.0, 19.11.0, 19.12.0, 20.1.0, 20.2.0, 20.3.0, 20.4.0, 20.5.0, 20.6.0, 20.7.0, 20.8.0, 20.9.0, 20.10.0, 21.1.0 | affected |
Weaknesses
- Cross-Site Request Forgery
ADP Enrichment
CVE Program Container
Additional References
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C
- https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548
References
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C
- https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.