CVE-2021-43287 Overview
CVE-2021-43287 is a critical information disclosure vulnerability in ThoughtWorks GoCD, a popular continuous delivery server. The vulnerability exists in the business continuity add-on, which is enabled by default in affected versions. This flaw allows unauthenticated remote attackers to access all secrets known to the GoCD server, including credentials, API keys, and other sensitive configuration data without any authentication requirements.
Critical Impact
Unauthenticated attackers can remotely access all secrets stored in GoCD servers, potentially leading to complete CI/CD pipeline compromise and lateral movement across connected infrastructure.
Affected Products
- ThoughtWorks GoCD versions prior to 21.3.0
- All installations with business continuity add-on enabled (default configuration)
- Both primary and standby GoCD server deployments
Discovery Timeline
- 2022-04-14 - CVE CVE-2021-43287 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-43287
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The business continuity add-on in GoCD exposes API endpoints that leak sensitive server configuration and secrets without requiring authentication. The attack can be executed remotely over the network with no user interaction required, and the exploitation complexity is low.
The impact is primarily on confidentiality, as attackers gain access to all secrets known to the GoCD server. This includes database credentials, deployment keys, API tokens, and any other sensitive material stored within the CI/CD pipeline configuration.
Root Cause
The root cause lies in the business continuity add-on's controller classes, specifically PrimaryStatusProviderController and DashBoardController. These controllers exposed sensitive API endpoints via the /add-on/business-continuity/api and /add-on/business-continuity/admin/dashboard routes without proper authentication checks. Since the business continuity feature is enabled by default, all GoCD installations were vulnerable out of the box.
Attack Vector
The vulnerability is exploitable via network-based attacks targeting the exposed business continuity API endpoints. An unauthenticated attacker can simply send HTTP requests to the vulnerable endpoints to retrieve sensitive server data. The attack requires no privileges, no user interaction, and can be executed with minimal technical knowledge.
Attackers can leverage this vulnerability to:
- Extract all secrets and credentials stored in GoCD
- Gain unauthorized access to connected systems using leaked credentials
- Modify CI/CD pipelines for supply chain attacks
- Pivot to internal infrastructure using exposed deployment keys
// Security patch removing exposed endpoints
// Source: https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c
@Controller
@SuppressWarnings("WeakerAccess")
-@RequestMapping(value = "/add-on/business-continuity/api")
public class PrimaryStatusProviderController {
private GoFilesStatusProvider goFilesStatusProvider;
The fix removes the @RequestMapping annotation from the vulnerable controller classes, effectively disabling the exposed API endpoints entirely.
// Dashboard controller patch
// Source: https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c
this.dashboardJSON = this::showStatusJSON;
}
- @RequestMapping(value = "/add-on/business-continuity/admin/dashboard", method = RequestMethod.GET)
@ResponseBody
public String dashboard(HttpServletRequest request, HttpServletResponse response) {
return renderAfterAuthentication(request, response, dashboardHTML);
}
- @RequestMapping(value = "/add-on/business-continuity/admin/dashboard.json", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public String dashboardData(HttpServletRequest request, HttpServletResponse response) {
return renderAfterAuthentication(request, response, dashboardJSON);
Detection Methods for CVE-2021-43287
Indicators of Compromise
- Unusual HTTP requests to /add-on/business-continuity/api/* endpoints from external IP addresses
- Access logs showing unauthenticated requests to /add-on/business-continuity/admin/dashboard or /add-on/business-continuity/admin/dashboard.json
- Unexpected access to GoCD server configuration or secrets from unfamiliar sources
- Evidence of credential usage from extracted secrets across connected systems
Detection Strategies
- Monitor web server access logs for requests containing /add-on/business-continuity/ path patterns, especially from untrusted networks
- Implement alerting on unauthenticated access attempts to GoCD administrative endpoints
- Review audit logs for any secrets or credentials being accessed without proper authentication context
- Deploy network-level monitoring to detect reconnaissance activity targeting GoCD instances
Monitoring Recommendations
- Enable detailed access logging on GoCD servers and forward logs to a SIEM solution
- Create alerts for any external network traffic to business continuity endpoints
- Monitor for signs of credential abuse that may indicate secrets were extracted from GoCD
- Perform regular audits of GoCD server versions across your environment to identify unpatched instances
How to Mitigate CVE-2021-43287
Immediate Actions Required
- Upgrade GoCD to version 21.3.0 or later immediately to address this vulnerability
- Audit all secrets stored in GoCD and rotate any credentials that may have been exposed
- Review access logs for evidence of exploitation and investigate any suspicious access patterns
- Restrict network access to GoCD servers using firewall rules while patching is in progress
Patch Information
ThoughtWorks has released GoCD version 21.3.0 which addresses this vulnerability by disabling the exposed business continuity API endpoints. The security fix is documented in the GoCD Release 21.3.0 notes. The specific commit addressing this issue can be reviewed in the GitHub Commit. For detailed technical analysis, refer to the SonarSource Blog Post.
Workarounds
- Block access to /add-on/business-continuity/* endpoints at the reverse proxy or load balancer level until patching is complete
- Implement network segmentation to restrict access to GoCD servers from untrusted networks
- Deploy a web application firewall (WAF) rule to deny requests matching business continuity endpoint patterns
- If business continuity features are not required, disable the add-on through configuration if possible
# Configuration example - Block vulnerable endpoints at nginx reverse proxy
location /add-on/business-continuity/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
