Impact
The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries.
While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms.
This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration.
Patches
Fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.
Workarounds
- removing any authorization configurations for the bundled LDAP Authentication plugin
- if running outside Docker/Helm, users on GoCD
20.9.0+ can manually upgrade the bundled plugin to v2.2.0-144
- users on GoCD
20.9.0+ not able to upgrade to 22.1.0 can consider migrating their LDAP authorization configuration to the patched v4.2.0-73+ version of the LDAP Authorization Plugin, which supports both authentication and (optional) authorization to map to GoCD roles. This plugin was also subject to the same vulnerability in versions <=4.1.0, however since it is non-bundled, it is more easily user-upgraded.
References
For more information
If you have any questions or comments about this advisory:
Impact
The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries.
While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms.
This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration.
Patches
Fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.
Workarounds
20.9.0+ can manually upgrade the bundled plugin to v2.2.0-14420.9.0+ not able to upgrade to22.1.0can consider migrating their LDAP authorization configuration to the patched v4.2.0-73+ version of the LDAP Authorization Plugin, which supports both authentication and (optional) authorization to map to GoCD roles. This plugin was also subject to the same vulnerability in versions <=4.1.0, however since it is non-bundled, it is more easily user-upgraded.References
For more information
If you have any questions or comments about this advisory: