{"id":"CVE-2021-44659","details":"Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests","modified":"2026-04-10T04:41:28.745196Z","published":"2021-12-22T18:15:08.013Z","references":[{"type":"ADVISORY","url":"https://www.gocd.org/"},{"type":"PACKAGE","url":"https://github.com/Mesh3l911/CVE-2021-44659"},{"type":"PACKAGE","url":"https://github.com/gocd/gocd"},{"type":"EVIDENCE","url":"https://youtu.be/WW_a3znugl0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"0"},{"last_affected":"4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"21.3.0"}]}}],"versions":["14.2.0","14.3.0","14.4.0","15.1.0","15.2.0","15.3.0","16.1.0","16.10.0","16.11.0","16.12.0","16.2.0","16.3.0","16.4.0","16.5.0","16.6.0","16.7.0","16.8.0","16.9.0","17.1.0","17.10.0","17.11.0","17.12.0","17.2.0","17.3.0","17.4.0","17.5.0","17.6.0","17.7.0","17.8.0","17.9.0","18.1.0","18.10.0","18.11.0","18.12.0","18.2.0","18.3.0","18.4.0","18.5.0","18.6.0","18.7.0","18.8.0","18.9.0","19.1.0","19.10.0","19.11.0","19.12.0","19.2.0","19.3.0","19.4.0","19.5.0","19.6.0","19.7.0","19.8.0","19.9.0","20.1.0","20.10.0","20.2.0","20.3.0","20.4.0","20.5.0","20.6.0","20.7.0","20.8.0","20.9.0","21.1.0","21.2.0","21.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44659.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}