{"id":"CVE-2021-43290","details":"An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.","modified":"2026-03-10T23:50:33.722123Z","published":"2022-04-14T13:15:11.540Z","references":[{"type":"WEB"},{"type":"REPORT","url":"https://www.gocd.org/releases/#21-3-0"},{"type":"FIX","url":"https://blog.sonarsource.com/gocd-vulnerability-chain"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"0"},{"fixed":"4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"fixed":"c22e0428164af25d3e91baabd3f538a41cadc82f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"21.3.0"}]}}],"versions":["14.2.0","14.3.0","14.4.0","15.1.0","15.2.0","15.3.0","15.3.1","16.1.0","16.10.0","16.11.0","16.12.0","16.2.0","16.3.0","16.4.0","16.5.0","16.6.0","16.7.0","16.8.0","16.9.0","17.1.0","17.10.0","17.11.0","17.12.0","17.2.0","17.3.0","17.4.0","17.5.0","17.6.0","17.7.0","17.8.0","17.9.0","18.1.0","18.10.0","18.11.0","18.12.0","18.2.0","18.3.0","18.4.0","18.5.0","18.6.0","18.7.0","18.8.0","18.9.0","19.1.0","19.10.0","19.11.0","19.12.0","19.2.0","19.3.0","19.4.0","19.5.0","19.6.0","19.7.0","19.8.0","19.9.0","20.1.0","20.10.0","20.2.0","20.3.0","20.4.0","20.5.0","20.6.0","20.7.0","20.8.0","20.9.0","21.1.0","21.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43290.json","vanir_signatures":[{"target":{"file":"server/src/test-fast/java/com/thoughtworks/go/server/controller/ArtifactsControllerTest.java"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f","id":"CVE-2021-43290-38f2dc3d","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["35217849621521978421938517761391841788","178442900729342129108185183933724408964","173803221052513202178023264493049698519","272787890143355362557536696589923164456","236950073862179665243691743993640232322","66356137965835426388486276886875191017","5041689735885834485693590133693548826"]}},{"target":{"function":"getArtifact","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595","id":"CVE-2021-43290-50bcf4ba","deprecated":false,"digest":{"length":935,"function_hash":"169831231781064058981204781722622135125"}},{"target":{"function":"consoleout","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595","id":"CVE-2021-43290-8cbaf716","deprecated":false,"digest":{"length":805,"function_hash":"46622639701462554494085306319090792137"}},{"target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f","id":"CVE-2021-43290-a055a163","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["297153862272478249381986414749752215030","215072615915565691360715005872536267426","36185728995397713624474045491130696535","33713468704060082642760603567839850354","137605329014485206095835539230905619230","327973978035111290227806121788312738332","34785563908314936746383719035481271612","339757743281603299907990493356125819669","290549176892605093098220810150544117856","27528873846200926205447993033673972604","61948491231241368923281192716349665369","190031166285777672832662188882211658775","168299212905676645556210339635249599448"]}},{"target":{"function":"putArtifact","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f","id":"CVE-2021-43290-a7721f85","deprecated":false,"digest":{"length":918,"function_hash":"217065692591585174985092970000626779641"}},{"target":{"function":"postArtifact","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f","id":"CVE-2021-43290-b64e4db9","deprecated":false,"digest":{"length":1552,"function_hash":"163768593461045714372941000096148634503"}},{"target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595","id":"CVE-2021-43290-c62c5dea","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["219744567178386472931426060691752182870","33826569787096491834605372258126750130","50716403453545536161590681343053786441","36699377348188772274659214622610304835","186402665283495640455695244972906634561","105738403421211834056096073550232370866","249186177297844560674030412416911095073"]}}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}