{"id":"CVE-2021-43290","details":"An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.","modified":"2026-05-18T22:24:17.363470Z","published":"2022-04-14T13:15:11.540Z","references":[{"type":"REPORT","url":"https://www.gocd.org/releases/#21-3-0"},{"type":"FIX","url":"https://blog.sonarsource.com/gocd-vulnerability-chain"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"0"},{"fixed":"4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"fixed":"c22e0428164af25d3e91baabd3f538a41cadc82f"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"21.3.0"}],"cpe":"cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*"}}],"versions":["21.2.0","21.1.0","20.10.0","20.9.0","20.8.0","20.7.0","20.6.0","20.5.0","20.4.0","20.3.0","20.2.0","20.1.0","19.12.0","19.11.0","19.10.0","19.9.0","19.8.0","19.7.0","19.6.0","19.5.0","19.4.0","19.3.0","19.2.0","19.1.0","18.12.0","18.11.0","18.10.0","18.9.0","18.8.0","18.7.0","18.6.0","18.5.0","18.4.0","18.3.0","18.2.0","18.1.0","17.12.0","17.11.0","17.10.0","17.9.0","17.8.0","17.7.0","17.6.0","17.5.0","17.4.0","17.3.0","17.2.0","17.1.0","16.12.0","16.11.0","16.10.0","16.9.0","16.8.0","16.7.0","16.6.0","16.5.0","16.4.0","16.3.0","16.2.0","16.1.0","15.3.0","15.2.0","15.1.0","14.4.0","14.3.0","14.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43290.json","vanir_signatures_modified":"2026-05-18T22:24:17Z","vanir_signatures":[{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"server/src/test-fast/java/com/thoughtworks/go/server/controller/ArtifactsControllerTest.java"},"id":"CVE-2021-43290-38f2dc3d","digest":{"threshold":0.9,"line_hashes":["35217849621521978421938517761391841788","178442900729342129108185183933724408964","173803221052513202178023264493049698519","272787890143355362557536696589923164456","236950073862179665243691743993640232322","66356137965835426388486276886875191017","5041689735885834485693590133693548826"]},"source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"},{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"function":"getArtifact","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"id":"CVE-2021-43290-50bcf4ba","digest":{"function_hash":"169831231781064058981204781722622135125","length":935},"source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"function":"consoleout","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"id":"CVE-2021-43290-8cbaf716","digest":{"function_hash":"46622639701462554494085306319090792137","length":805},"source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"id":"CVE-2021-43290-a055a163","digest":{"threshold":0.9,"line_hashes":["297153862272478249381986414749752215030","215072615915565691360715005872536267426","36185728995397713624474045491130696535","33713468704060082642760603567839850354","137605329014485206095835539230905619230","327973978035111290227806121788312738332","34785563908314936746383719035481271612","339757743281603299907990493356125819669","290549176892605093098220810150544117856","27528873846200926205447993033673972604","61948491231241368923281192716349665369","190031166285777672832662188882211658775","168299212905676645556210339635249599448"]},"source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"},{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"function":"putArtifact","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"id":"CVE-2021-43290-a7721f85","digest":{"function_hash":"217065692591585174985092970000626779641","length":918},"source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"},{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"function":"postArtifact","file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"id":"CVE-2021-43290-b64e4db9","digest":{"function_hash":"163768593461045714372941000096148634503","length":1552},"source":"https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"server/src/main/java/com/thoughtworks/go/server/controller/ArtifactsController.java"},"id":"CVE-2021-43290-c62c5dea","digest":{"threshold":0.9,"line_hashes":["219744567178386472931426060691752182870","33826569787096491834605372258126750130","50716403453545536161590681343053786441","36699377348188772274659214622610304835","186402665283495640455695244972906634561","105738403421211834056096073550232370866","249186177297844560674030412416911095073"]},"source":"https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}