CVE-2021-43290
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-43290
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43290.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-43290
- Published
- 2022-04-14T13:15:11Z
- Modified
- 2025-10-15T13:16:01.705647Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.
- References
Affected packages
Git / github.com/gocd/gocd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/gocd/gocd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
14.*
14.2.0
14.3.0
14.4.0
15.*
15.1.0
15.2.0
15.3.0
15.3.1
16.*
16.1.0
16.10.0
16.11.0
16.12.0
16.2.0
16.3.0
16.4.0
16.5.0
16.6.0
16.7.0
16.8.0
16.9.0
17.*
17.1.0
17.10.0
17.11.0
17.12.0
17.2.0
17.3.0
17.4.0
17.5.0
17.6.0
17.7.0
17.8.0
17.9.0
18.*
18.1.0
18.10.0
18.11.0
18.12.0
18.2.0
18.3.0
18.4.0
18.5.0
18.6.0
18.7.0
18.8.0
18.9.0
19.*
19.1.0
19.10.0
19.11.0
19.12.0
19.2.0
19.3.0
19.4.0
19.5.0
19.6.0
19.7.0
19.8.0
19.9.0
20.*
20.1.0
20.10.0
20.2.0
20.3.0
20.4.0
20.5.0
20.6.0
20.7.0
20.8.0
20.9.0
21.*
21.1.0
21.2.0
Database specific
vanir_signatures
[
{
"id": "CVE-2021-43290-38f2dc3d",
"digest": {
"line_hashes": [
"35217849621521978421938517761391841788",
"178442900729342129108185183933724408964",
"173803221052513202178023264493049698519",
"272787890143355362557536696589923164456",
"236950073862179665243691743993640232322",
"66356137965835426388486276886875191017",
"5041689735885834485693590133693548826"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "server/src/test-fast/java/com/thoughtworks/go/server/controller/ArtifactsControllerTest.java"
},
"source": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f",
"signature_type": "Line",
"deprecated": false
},
{
"id": "CVE-2021-43290-a055a163",
"digest": {
"line_hashes": [
"297153862272478249381986414749752215030",
"215072615915565691360715005872536267426",
"36185728995397713624474045491130696535",
"33713468704060082642760603567839850354",
"137605329014485206095835539230905619230",
"327973978035111290227806121788312738332",
"34785563908314936746383719035481271612",
"339757743281603299907990493356125819669",
"290549176892605093098220810150544117856",
"27528873846200926205447993033673972604",
"61948491231241368923281192716349665369",
"190031166285777672832662188882211658775",
"168299212905676645556210339635249599448"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"
},
"source": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f",
"signature_type": "Line",
"deprecated": false
},
{
"id": "CVE-2021-43290-a7721f85",
"digest": {
"length": 918.0,
"function_hash": "217065692591585174985092970000626779641"
},
"signature_version": "v1",
"target": {
"file": "server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java",
"function": "putArtifact"
},
"source": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f",
"signature_type": "Function",
"deprecated": false
},
{
"id": "CVE-2021-43290-b64e4db9",
"digest": {
"length": 1552.0,
"function_hash": "163768593461045714372941000096148634503"
},
"signature_version": "v1",
"target": {
"file": "server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java",
"function": "postArtifact"
},
"source": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f",
"signature_type": "Function",
"deprecated": false
}
]