GoCD has patched a “Highly Critical” authentication vulnerability in its GoCD CI/CD tool.
GoCD is an open-source Continuous Integration and Continuous Delivery system (CI/CD) tool that is used by software developers and organizations for automating software delivery.
“This release has important security fixes and upgrades to lots of internal components. We recommend all users to upgrade to this version to safeguard your GoCD server,” GoCD stated in the advisory.
Moreover, the Business Continuity feature has also been temporarily disabled as a part of the changes.
One of the security researchers who discovered the flaw, Simon Scannell, described the issue in more detail in a blog post titled ‘Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD.’
Scannell described the “highly critical” authentication vulnerability could allow an unauthenticated attacker to view highly sensitive data and read arbitrary files on a GoCD server.
“We rate the vulnerability presented in this blog post as highly critical, since an unauthenticated attacker can extract all tokens and secrets used in all build pipelines. For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks,” Scannell wrote.
He also posted an exploit video that demonstrates how a remote hacker could easily breach a GoCD instance.
The issue affects GoCD versions 20.6.0 through 21.2.0.
Users are highly encouraged to upgrade to the latest version of GoCD 21.3.0 as soon as possible.
- The 2020 CWE Top 25 Most Dangerous Software Weaknesses
- Embedded malware discovered in NPM package ua-parser-js
- Malicious PyPI software packages found stealing payment card numbers and injecting code
- PHP user database leak allegedly led to PHP source code compromise
- Attackers could have taken over an Atlassian account via one-click exploit
- OWASP API Security Top 10 2019