CVE-2021-43287

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-43287

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43287.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-43287

Published

2022-04-14T12:15:07.717Z

Modified

2026-04-11T18:45:38.711526Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.

References

Affected packages

Git / github.com/gocd/gocd

Affected ranges

Type

GIT

Repo

https://github.com/gocd/gocd

Events

Introduced

Fixed

4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595

Fixed

41abc210ac4e8cfa184483c9ff1c0cc04fb3511c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "21.3.0"
        }
    ]
}

Affected versions

14.*

14.2.0

14.3.0

14.4.0

15.*

15.1.0

15.2.0

15.3.0

16.*

16.1.0

16.10.0

16.11.0

16.12.0

16.2.0

16.3.0

16.4.0

16.5.0

16.6.0

16.7.0

16.8.0

16.9.0

17.*

17.1.0

17.10.0

17.11.0

17.12.0

17.2.0

17.3.0

17.4.0

17.5.0

17.6.0

17.7.0

17.8.0

17.9.0

18.*

18.1.0

18.10.0

18.11.0

18.12.0

18.2.0

18.3.0

18.4.0

18.5.0

18.6.0

18.7.0

18.8.0

18.9.0

19.*

19.1.0

19.10.0

19.11.0

19.12.0

19.2.0

19.3.0

19.4.0

19.5.0

19.6.0

19.7.0

19.8.0

19.9.0

20.*

20.1.0

20.10.0

20.2.0

20.3.0

20.4.0

20.5.0

20.6.0

20.7.0

20.8.0

20.9.0

21.*

21.1.0

21.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43287.json"

vanir_signatures_modified

"2026-04-11T18:45:38Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595",
        "digest": {
            "function_hash": "169831231781064058981204781722622135125",
            "length": 935.0
        },
        "id": "CVE-2021-43287-50bcf4ba",
        "deprecated": false,
        "target": {
            "file": "server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java",
            "function": "getArtifact"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595",
        "digest": {
            "function_hash": "46622639701462554494085306319090792137",
            "length": 805.0
        },
        "id": "CVE-2021-43287-8cbaf716",
        "deprecated": false,
        "target": {
            "file": "server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java",
            "function": "consoleout"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "162211121821750773473144286713610008554",
                "69291429028746565225783084249821371262",
                "281471459758238047650573224173810454845",
                "223629736935696393218652085313454113683",
                "300320787969519129163131813488521038145",
                "184721705537119770187599095455167292773",
                "256013375759424369261868025196750318300",
                "53669328418647435659538602581457945324",
                "203781855448791209955411873420413770768"
            ]
        },
        "id": "CVE-2021-43287-bd2a1f11",
        "deprecated": false,
        "target": {
            "file": "server/src/main/java/com/thoughtworks/go/addon/businesscontinuity/standby/controller/DashBoardController.java"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "219744567178386472931426060691752182870",
                "33826569787096491834605372258126750130",
                "50716403453545536161590681343053786441",
                "36699377348188772274659214622610304835",
                "186402665283495640455695244972906634561",
                "105738403421211834056096073550232370866",
                "249186177297844560674030412416911095073"
            ]
        },
        "id": "CVE-2021-43287-c62c5dea",
        "deprecated": false,
        "target": {
            "file": "server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "18064623769372598632024066551605813789",
                "324731096186434849409755653426108024523",
                "47045895498496245405711633620660227826",
                "273911606524041354210993159174584419990"
            ]
        },
        "id": "CVE-2021-43287-d5074253",
        "deprecated": false,
        "target": {
            "file": "server/src/main/java/com/thoughtworks/go/addon/businesscontinuity/primary/controller/PrimaryStatusProviderController.java"
        }
    }
]