3 critical vulnerabilities in GoCD, the open-source software build and release tool, allow hackers to insert backdoors in your software

The team in charge of GoCD announced the fix of three vulnerabilities that could be exploited in a chained manner to take full control of the underlying server. These flaws were identified as CVE-2021-43288, CVE-2021-43286, and CVE-2021-43289, and their finding is attributed to researchers at security firm SonarSource.

Simon Scannell, from SonarSource’s team of experts, says: “A threat actor capable of successfully exploiting these vulnerabilities can leak intellectual property, modify source code, gain access to production environments, and inject a backdoor into any software produced by the CI/CD server, opening up the possibility of a supply chain attack.”

The expert adds that the flaw can be massively exploited and threat actors don’t even need to know much information about the target system. This report comes after technical details were released about CVE-2021-43287, an arbitrary file reading flaw affecting the same platform.

The finding of this flaw was essential for the detection of the last three vulnerabilities. The first of these flaws was described as a cross-site scripting (XSS) bug whose exploitation would allow threat actors to impersonate a legitimate website and perform hacking tasks inadvertently.

As mentioned above, the following two flaws could have been exploited in a chained manner to deploy powerful cyberattacks, “Attackers could force jobs to fail to prompt administrators to enter the GoCD2 interface, triggering the XSS scenario and eventually leading to remote code execution,” the researcher adds.

The SonarSource team reported these flaws to GoCD officials in late October, so the patches were ready a few weeks ago. Users of affected deployments are advised to upgrade to v21.3.0, which contains the updates for the 4 reported failures. Scannell concluded by acknowledging that goCD’s developers acted promptly, which will undoubtedly prevent the massive exploitation of vulnerabilities found by his team.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.