{"id":"CVE-2021-43286","details":"An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL \"Test Connection\" feature to execute arbitrary code.","modified":"2026-07-08T06:03:37.350407764Z","published":"2022-04-14T13:15:11.417Z","database_specific":{},"references":[{"type":"REPORT","url":"https://www.gocd.org/releases/#21-3-0"},{"type":"FIX","url":"https://blog.sonarsource.com/gocd-vulnerability-chain"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"0"},{"fixed":"4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"fixed":"2b77b533abcbb79c8fc758dec9984305dc1ade42"},{"fixed":"6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"}],"database_specific":{"cpe":"cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"21.3.0"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["21.2.0","21.1.0","20.10.0","20.9.0","20.8.0","20.7.0","20.6.0","20.5.0","20.4.0","20.3.0","20.2.0","20.1.0","19.12.0","19.11.0","19.10.0","19.9.0","19.8.0","19.7.0","19.6.0","19.5.0","19.4.0","19.3.0","19.2.0","19.1.0","18.12.0","18.11.0","18.10.0","18.9.0","18.8.0","18.7.0","18.6.0","18.5.0","18.4.0","18.3.0","18.2.0","18.1.0","17.12.0","17.11.0","17.10.0","17.9.0","17.8.0","17.7.0","17.6.0","17.5.0","17.4.0","17.3.0","17.2.0","17.1.0","16.12.0","16.11.0","16.10.0","16.9.0","16.8.0","16.7.0","16.6.0","16.5.0","16.4.0","16.3.0","16.2.0","16.1.0","15.3.0","15.2.0","15.1.0","14.4.0","14.3.0","14.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43286.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}