Critical vulnerability discovered in popular CI/CD framework

A hand holding a magnifying glass reveals a red lock, unlocked among several blue locked locks

Swiss-based code quality and code security firm SonarSource has published details on a critical vulnerability it found in the Java-based GoCD CI/CD solution that could see attackers leak intellectual property or install backdoors in software before it's released to the public.

The GoCD framework is a particularly attractive target for attackers since it's currently used by a range of non-governmental organisations (NGOs) and Fortune 500 companies, SonarSource said.

The company noted that the vulnerability bears similarities to the one responsible for the SolarWinds hack, the infamously devastating attack launched at the start of 2021 that Microsoft dubbed the most sophisticated cyber attack ever recorded in history. In the case of SolarWinds, a small percentage of the Orion software's code was maliciously re-written before the update was pushed to customers, leading to backdoors being implanted in around 18,000 businesses' networks.

Simon Scannel, vulnerability researcher at SonarSource, discovered a faulty filter safeguarding the HTTP requests sent to a GoCD server, which allowed any unauthenticated request through - including any made by an attacker. Detailing the bug in greater depth in his blog post, he said there was one type of request that was always tied to this filter which meant that anyone who used the request path that matched the type assigned to the faulty filter, in this case it was /add-on/, could target endpoints exposed by add-ons and attack them.

The Business Continuity add-on for GoCD is installed and enabled by default in all affected versions. This contained an arbitrary file-read vulnerability that could be controlled by an attacker and, by setting the right parameters, the researcher found it was possible to read a file on a GoCD server. Two additional endpoints were identified as leaking sensitive information. One leaked an encryption key used to encrypt things like access tokens, and another leaked the main configuration file of a GoCD server.

This means an attacker was required to make just two requests to a GoCD server to steal sensitive data from a victim’s software pipeline - one to get the encryption key and another access the encrypted secrets.

SonarSource plans to release a report detailing how they were able to get a remote code execution (RCE) chain working using this bug.

Speaking to IT Pro, Scannel said he has identified companies in a wide range of industries that are vulnerable to the exploit, including restaurant chains, banks, and IT consulting firms. SonarSource has also said that a number of Fortune 500 companies have been alerted to the issue.

"An attack on a CI/CD solution of a large organisation, such as a Fortune 500 company, could enable an attacker to compromise a wide range of internal tools the company uses, as well as the software the company distributes to their customers," said Scannell to IT Pro. "An attacker could compromise various production environments and steal intellectual property and user data.

"In contrast to a vulnerability that affects only a single service or library of a company, a compromised CI/CD server could affect every piece of software that is built and distributed by the CI/CD server."

All GoCD instances within the version range v20.6.0 0 and v21.2.0 are affected. For any businesses or users who run GoCD and believe they may be infected, SonarSource suggests patching to version v21.3.0 as soon as possible.


The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management


"This might be the vuln with the highest impact I found so far.. and it is very simple to exploit," Scannel said in a tweet. "Please patch your instances."

The vulnerability is deemed highly critical by SonarSource because an attacker could extract all tokens and secrets used in all build pipelines.

"For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks," said Scannel.

"Having a broken authentication vulnerability would allow anyone to access the environment," said Calvin Gan, senior manager with F-Secure’s Tactical Defense Unit. "What could have transpired from there is the modification of a software package to a malicious one, or could be used to steal passwords stored on the environment (possibly combined with another vulnerability), or as stated by SonarSource, they could also potentially achieve remote code execution.

"Achieving remote code execution on a server would mean that it’s game over as the bad actor has already obtained enough access to run anything they wish in the environment because they have full control over it. Therefore, auditing your authentication deployment to ensure proper access checks are done should be an immediate next, while also ensuring that your development environment is not exposed to the public Internet."

SonarSource noted that the GoCD security team responded to the issue "very quickly", patching the vulnerabilities within two days of private disclosure. The issue was addressed by "removing the Business Continuity add-on from the core altogether," Scannel noted.

IT Pro contacted ThoughtWorks, the sponsor of the open source GoCD server for additional comment but it did not respond at the time of publication.

First published by SonarSource on Wednesday, the 'highly critical' vulnerability was initially not given a Common Vulnerabilities and Exposures (CVE) ID. Most organisations rely on CVEs to detect vulnerabilities in their infrastructure, so the issue could have been missed if attention wasn't brought to it.

CVEs are assigned to vulnerabilities by the MITRE corporation, which receives funding from the US' Cybersecurity and Infrastructure Security Agency (CISA).

SonarSource has requested a CVE ID for the individual vulnerabilities and these are expected to be shared in the next few days.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.