Three new vulnerabilities discovered in GoCD
November 2021 by SonarSource
SonarSource recently discovered a highly critical a GoCD vulnerability which allows unauthenticated attackers to impersonate build agents and access features previously protected by authentication mechanisms. GoCD is one of the top 10 CI/CD systems used by Fortune 500 companies to build and deploy software. Today, the SonarSource R&D team uncovered three additional vulnerabilities that can allow attackers to compromise a GoCD instance and to take over the underlying server. These include:
A vulnerability that can be used by attackers impersonating build agents to force administrators to perform security-sensitive actions without their knowledge.
Two vulnerabilities that could be chained with it to fully compromise the targeted instance by executing arbitrary commands on the server hosting GoCD.
Ultimately, these vulnerabilities enable attackers to take control of any component within a release pipeline and to leak intellectual property or insert backdoors in a company’s software. This type of scenario unfolded in the SolarWinds hack, with attackers gained access to the software delivery pipeline and adding a backdoor to critical software.