{"id":"CVE-2021-43288","details":"An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report.","modified":"2026-04-11T18:45:37.977147Z","published":"2022-04-14T13:15:11.460Z","references":[{"type":"REPORT","url":"https://www.gocd.org/releases/#21-3-0"},{"type":"FIX","url":"https://blog.sonarsource.com/gocd-vulnerability-chain"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"0"},{"fixed":"4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"fixed":"f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"21.3.0"}]}}],"versions":["14.2.0","14.3.0","14.4.0","15.1.0","15.2.0","15.3.0","16.1.0","16.10.0","16.11.0","16.12.0","16.2.0","16.3.0","16.4.0","16.5.0","16.6.0","16.7.0","16.8.0","16.9.0","17.1.0","17.10.0","17.11.0","17.12.0","17.2.0","17.3.0","17.4.0","17.5.0","17.6.0","17.7.0","17.8.0","17.9.0","18.1.0","18.10.0","18.11.0","18.12.0","18.2.0","18.3.0","18.4.0","18.5.0","18.6.0","18.7.0","18.8.0","18.9.0","19.1.0","19.10.0","19.11.0","19.12.0","19.2.0","19.3.0","19.4.0","19.5.0","19.6.0","19.7.0","19.8.0","19.9.0","20.1.0","20.10.0","20.2.0","20.3.0","20.4.0","20.5.0","20.6.0","20.7.0","20.8.0","20.9.0","21.1.0","21.2.0"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","id":"CVE-2021-43288-132f8abb","source":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4","deprecated":false,"target":{"file":"common/src/test/java/com/thoughtworks/go/domain/FolderDirectoryEntryTest.java"},"signature_version":"v1","digest":{"line_hashes":["41130404282318150981389390619315329558","117417995383817804647042997548096880401","339481908839719685303323831546175213824","185696123082887796366643922406931954908","140962149972854787697455876797272875024","172268737465801296500107483293618244501"],"threshold":0.9}},{"signature_type":"Function","id":"CVE-2021-43288-17fee504","source":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4","deprecated":false,"target":{"file":"common/src/main/java/com/thoughtworks/go/server/presentation/html/HtmlElement.java","function":"content"},"signature_version":"v1","digest":{"function_hash":"277832213749086550094602471120368985873","length":79}},{"signature_type":"Function","id":"CVE-2021-43288-50bcf4ba","source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595","deprecated":false,"target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java","function":"getArtifact"},"signature_version":"v1","digest":{"function_hash":"169831231781064058981204781722622135125","length":935}},{"signature_type":"Line","id":"CVE-2021-43288-8ad89d5c","source":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4","deprecated":false,"target":{"file":"common/src/main/java/com/thoughtworks/go/domain/DirectoryEntries.java"},"signature_version":"v1","digest":{"line_hashes":["198270681855997635050275658244298040909","92694157782684808310545017511849568516","159073927930292031138447366549011488720","177899793082831555105634838780035529231"],"threshold":0.9}},{"signature_type":"Function","id":"CVE-2021-43288-8cbaf716","source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595","deprecated":false,"target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java","function":"consoleout"},"signature_version":"v1","digest":{"function_hash":"46622639701462554494085306319090792137","length":805}},{"signature_type":"Line","id":"CVE-2021-43288-b126524f","source":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4","deprecated":false,"target":{"file":"common/src/main/java/com/thoughtworks/go/domain/FolderDirectoryEntry.java"},"signature_version":"v1","digest":{"line_hashes":["119410508526062846899070262397994851315","30735711512745886265326382857562123540","273540969283561134716709162127965113682","176275089518117490442390096014503045418"],"threshold":0.9}},{"signature_type":"Line","id":"CVE-2021-43288-b5dab9ba","source":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4","deprecated":false,"target":{"file":"common/src/main/java/com/thoughtworks/go/server/presentation/html/HtmlElement.java"},"signature_version":"v1","digest":{"line_hashes":["312044316349043762132660748309941610253","256637536371406419586597220985411684489","333124841869036422491056056007801561635","235771309604204505386534889221782206700","50947427936912875553634603336562278676","117681936723556710923454445676841017941","177432775209488317237403144805652479666","211145546446505473087097954992567901577","54553599175285427904195511061305691940","44321068693799336148783371705659211925","222000082690613801919619545979750701695"],"threshold":0.9}},{"signature_type":"Line","id":"CVE-2021-43288-c62c5dea","source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595","deprecated":false,"target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_version":"v1","digest":{"line_hashes":["219744567178386472931426060691752182870","33826569787096491834605372258126750130","50716403453545536161590681343053786441","36699377348188772274659214622610304835","186402665283495640455695244972906634561","105738403421211834056096073550232370866","249186177297844560674030412416911095073"],"threshold":0.9}},{"signature_type":"Line","id":"CVE-2021-43288-c932b981","source":"https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4","deprecated":false,"target":{"file":"common/src/main/java/com/thoughtworks/go/domain/FileDirectoryEntry.java"},"signature_version":"v1","digest":{"line_hashes":["236366784861235243515631465874348738547","294165472048635542858226235474378532441","29744849027231144714792298547525138320","252194360484237263014059727769367591571"],"threshold":0.9}}],"vanir_signatures_modified":"2026-04-11T18:45:37Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43288.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}