CVE-2021-25924

Name of the Vulnerable Software and Affected Versions GoCD versions 19.6.0 through 21.1.0

Description The issue is related to Cross-Site Request Forgery (CSRF) due to missing protection at the "/go/api/config/backup" endpoint. An attacker can trick a victim into clicking on a malicious link, potentially changing backup configurations or executing system commands in the post backup script field.

Recommendations For GoCD versions 19.6.0 through 21.1.0, consider disabling access to the "/go/api/config/backup" endpoint until a patch is available. Restrict modifications to backup configurations and limit execution of system commands in the post backup script field to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.