GoCD has patched a “Highly Critical” authentication vulnerability in its GoCD CI/CD tool. GoCD is an open-source Continuous Integration and Continuous Delivery system (CI/CD) tool that is used by software developers and organizations for automating software delivery.
“This release has important security fixes and upgrades to lots of internal components. We recommend all users to upgrade to this version to safeguard your GoCD server,”.
Titled as ‘Agent 007: Pre Auth Takeover of Build Pipelines in GoCD.’ This “highly critical” authentication vulnerability could allow an unauthenticated attacker to view highly sensitive data and read arbitrary files on a GoCD server.
An attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply chain attacks,.
The issue affects GoCD versions 20.6.0 through 21.2.0. Users are highly encouraged to upgrade to the latest version of GoCD 21.3.0 as soon as possible