Information Disclosure via Logback Configuration Injection in GoCD Agent

Summary The GoCD Agent's logging mechanism (Logback) allows for property substitution and custom configuration loading. By default, the config directory might not exist in the installation path. However, if an attacker creates this directory and places a specially crafted agent-launcher-logback.xml file, the GoCD Agent prioritizes this external configuration over its internal defaults. This allows an attacker to exfiltrate sensitive system environment variables by injecting specific patterns into the log layout. Environment Product: GoCD Agent Version: 25.4.0 (Latest) OS: Windows 11 / Windows Server Java Version: 25.0.1 Steps to Reproduce 1. Navigate to the GoCD Agent installation directory (e.g., C:\Program Files (x86)\Go Agent\). 2. Create a new directory named config if it does not exist. 3. Create a new file named agent-launcher-logback.xml inside the config directory. 4. Paste the following malicious Logback configuration into the file: <configuration> <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> <encoder> <pattern>%n[!] EXFILTRATION_REPORT [!]%n- Host: ${HOSTNAME}%n- User: ${USERNAME}%n- Java: ${java.version}%n- WorkDir: ${user.dir}%n[!] END_OF_REPORT [!]%n%msg%n</pattern> </encoder> </appender> <root level="INFO"> <appender-ref ref="STDOUT" /> </root> </configuration> 5. Run the GoCD Agent via PowerShell (Administrator): .\go-agent.bat. 6. Observe the log output. The GoCD Agent will display: "Using logback configuration from file config\agent-launcher-logback.xml". 7. Confirm that sensitive system information (Hostname, User, Java version, etc.) is successfully evaluated and printed in the console. ## Impact An attacker or a malicious insider who can modify the agent configuration can steal sensitive environment variables. In many CI/CD environments, these variables often contain: Cloud provider credentials (AWS_ACCESS_KEY_ID, etc.) Database connection strings Internal API keys System architecture details that facilitate further attacks (SSRF/RCE) This vulnerability transforms a configuration access into a critical data exfiltration vector. I am reporting this to help improve the security of GoCD.