{"id":"CVE-2021-25924","details":"In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.","modified":"2026-04-12T00:09:15.687946Z","published":"2021-04-01T18:15:12.997Z","references":[{"type":"WEB","url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"4b674c10941b6c27d7ec2a28dd946518d9211b7a"},{"fixed":"16e1ac6956cd5177a99dc3fe33503661881c354f"},{"fixed":"7d0baab0d361c377af84994f95ba76c280048548"}],"database_specific":{"cpe":"cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"19.6.0"},{"fixed":"21.2.0"}]}}],"versions":["19.10.0","19.11.0","19.12.0","19.6.0","19.7.0","19.8.0","19.9.0","20.1.0","20.10.0","20.2.0","20.3.0","20.4.0","20.5.0","20.6.0","20.7.0","20.8.0","20.9.0","21.1.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Function","id":"CVE-2021-25924-24fdfdbd","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548","target":{"file":"api/api-backup-config-v1/src/main/java/com/thoughtworks/go/apiv1/backupconfig/BackupConfigControllerV1.java","function":"setupRoutes"},"digest":{"function_hash":"321407077403969273082490796812356271858","length":413}},{"deprecated":false,"signature_type":"Line","id":"CVE-2021-25924-76b9a835","signature_version":"v1","source":"https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548","target":{"file":"api/api-backup-config-v1/src/main/java/com/thoughtworks/go/apiv1/backupconfig/BackupConfigControllerV1.java"},"digest":{"line_hashes":["290456271028648574292916738462855074058","128884651754586473902382283956016558467","117628666451766356497316226923840181200"],"threshold":0.9}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25924.json","vanir_signatures_modified":"2026-04-12T00:09:15Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}