CVE-2021-43286: 
GoCD Server vulnerability analysis and mitigation

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code (Sonar Blog, NVD). The vulnerability was discovered and responsibly disclosed by the SonarSource R&D team and was patched in version 21.3.0, released on October 26, 2021.

The vulnerability exists in the Git URL validation process where the variable repoUrl is user-controlled, its format is not validated, and it is concatenated into the command line. While withArg() handles quoting of the repoUrl value, it does not prevent attackers from adding unintended arguments with the prefix --. The vulnerability can be exploited through three key factors: an argument can be added without character set restriction, git ls-remote requires a positional argument with refs/heads/master always added in the call, and git ls-remote implements --upload-pack option to specify the executable path on remotes (Sonar Blog). The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the GoCD server. This could lead to leaking API keys to external services such as Docker Hub and GitHub, stealing private source code, gaining access to production environments, and potentially overwriting files being produced as part of the build processes, which could enable supply-chain attacks (Sonar Blog).

The vulnerability was addressed in GoCD version 21.3.0 with commit 6fa9fb7, which added stronger validation on user-controlled values and implemented the use of the end-of-options delimiter -- standardized by POSIX. Users are strongly recommended to upgrade to GoCD version 21.3.0 or later (Sonar Blog, GoCD Releases).

The GoCD Security Team was noted to be exceptionally responsive in the disclosure process, reacting quickly and working efficiently with researchers to patch the vulnerabilities. They provided a heads-up about an important Security Fix on their public Google Forum before the release (Sonar Blog).