Connect with us

Hi, what are you looking for?


Application Security

Critical GoCD Authentication Flaw Exposes Software Supply Chain

A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.

A highly-critical vulnerability in a popular open-source CI/CD solution can be exploited to hijack sensitive secrets for downstream supply chain attacks, according to a warning from SonarSource.

The vulnerability was flagged in GoCD, a CI/CD server product used in many parts of Silicon Valley, and can be exploited by unauthenticated attackers to siphon highly sensitive information from a vulnerable GoCD Server instance, including all encrypted secrets stored on the server.

“The vulnerability can be used to impersonate a GoCD Agent, i.e. GoCD worker, and take over software delivery pipelines. [It can be] used to take over a GoCD server and execute arbitrary code on it,” according to an advisory from SonarSoure.

SonarSource researcher Simon Scannell explained that an unauthenticated attacker can extract all tokens and secrets used in all build pipelines.

“For instance, attackers could leak API keys to external services such as Docker Hub and GitHub, steal private source code, get access to production environments, and overwrite files that are being produced as part of the build processes, leading to supply-chain attacks,” Scannell added.

[ READ: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack ]

SonarSource warned that all GoCD instances within the version range v20.6.0 through v21.2.0 are affected . 

Advertisement. Scroll to continue reading.

The maintainers of the open-source GoCD fixed the vulnerability in version v21.3.0.

Scannell notes that the vulnerabilities work on default configurations and can be triggered even if authentication mechanisms are deployed for a GoCD server instance. 

“We highly recommend applying the available patches as quickly as possible. Although it is best practice to host CI/CD instances on an internal network, we observed hundreds of instances exposed to the internet,” Scannell added.

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Attack

Related: CodeCov Kills Off Bash Uploader Blamed for Supply Chain Hack

Related: Google Intros SLSA Framework to Enforce Supply Chain Integrity

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.