CVE-2021-43286

{"id": "CVE-2021-43286", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-04-14T13:15:11.417", "references": [{"url": "https://blog.sonarsource.com/gocd-vulnerability-chain", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.gocd.org/releases/#21-3-0", "tags": ["Issue Tracking", "Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL \"Test Connection\" feature to execute arbitrary code."}, {"lang": "es", "value": "Se ha detectado un problema en ThoughtWorks GoCD versiones anteriores a 21.3.0. Un atacante con privilegios para crear un nuevo pipeline en un servidor GoCD puede abusar de una inyecci\u00f3n de l\u00ednea de comandos en la funci\u00f3n \"Test Connection\" de Git URL para ejecutar c\u00f3digo arbitrario"}], "lastModified": "2022-04-21T20:39:21.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96C28DAA-9A8B-46E3-9443-656B378A26D8", "versionEndExcluding": "21.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}