Missing Authentication in GoCD Business Continuity Plugin [Agent 007] ($123 )
Original Post:
We discussed this vulnerability during Episode 95 on 01 November 2021
An unauthenticated file read in GoCD’s Business Continuity Addon (installed and enabled by default) due to change in configuration that that exposed the add-on to unauthenticated users.
Prior to a 2018 patch the /add-on/*/admin/**
and /add-on/*/api/**
endpoints required authentication though any other endpoints required the add-ons to perform their own authentication. After this patch all /add-on/**
would all unauthorized access. This ultimately exposed some endpoints that might have otherwise been privileged off, there are three of note:
/plugin
as handled byPrimaryStatusProviderController.java
had a trivial directory traversal vulnerability. While thefolderName
parameter was checked against a whitelist, thepluginName
which was appended, was not validated at all allowing for arbitrary files to be read./cipher.aes
would expose the private key used to encrypt secrets such as tokens./cruise_config
exposed the primary application configuration, this includes secrets for agent registration, webhooks, and token generation
Together these could be used by an unauthenticated attacker to gain access to further authenticated endpoints within the application.