CVE-2021-43290

Name of the Vulnerable Software and Affected Versions ThoughtWorks GoCD versions prior to 21.3.0

Description An issue was discovered in ThoughtWorks GoCD where an attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. The attacker can control the filename, but the directory is placed inside a directory that they cannot control.

Recommendations For versions prior to 21.3.0, update to version 21.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the GoCD server's directory to minimize the risk of exploitation.