Search criteria
16 vulnerabilities by gocd
CVE-2024-56324 (GCVE-0-2024-56324)
Vulnerability from cvelistv5 – Published: 2025-01-03 15:56 – Updated: 2025-01-03 18:05
VLAI?
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.
Severity ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T18:04:54.319891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T18:05:04.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one\u0027s \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one\u0027s GoCD server to arbitrary locations using some kind of environment egress control."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:56:52.174Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"
},
{
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-3w9f-fgr5-5g78",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to XXE injection via abuse of pipeline XML \"snippet\" editing by group admins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56324",
"datePublished": "2025-01-03T15:56:52.174Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T18:05:04.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56322 (GCVE-0-2024-56322)
Vulnerability from cvelistv5 – Published: 2025-01-03 15:49 – Updated: 2025-01-03 17:10
VLAI?
Summary
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.
Severity ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:09:40.613611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:10:02.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 16.7.0, \u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:49:48.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7"
},
{
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-8xwx-hf68-8xq7",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56322",
"datePublished": "2025-01-03T15:49:48.294Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T17:10:02.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56321 (GCVE-0-2024-56321)
Vulnerability from cvelistv5 – Published: 2025-01-03 15:41 – Updated: 2025-01-03 17:50
VLAI?
Summary
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:49:54.699823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:50:41.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 18.9.0, \u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration \"post-backup script\" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD\u0027s user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36: Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:48:22.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq"
},
{
"name": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-7jr3-gh3w-vjxq",
"discovery": "UNKNOWN"
},
"title": "GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56321",
"datePublished": "2025-01-03T15:41:40.737Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T17:50:41.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56320 (GCVE-0-2024-56320)
Vulnerability from cvelistv5 – Published: 2025-01-03 15:37 – Updated: 2025-01-03 17:51
VLAI?
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.
Severity ?
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:51:17.956995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:51:30.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin \"Configuration XML\" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:48:34.531Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j"
},
{
"name": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-346h-q594-rj8j",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56320",
"datePublished": "2025-01-03T15:37:12.694Z",
"dateReserved": "2024-12-18T23:44:51.603Z",
"dateUpdated": "2025-01-03T17:51:30.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28866 (GCVE-0-2024-28866)
Vulnerability from cvelistv5 – Published: 2024-05-13 13:53 – Updated: 2024-08-02 00:56
VLAI?
Summary
GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation.
Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context.
The issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity).
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T17:15:21.009341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:33.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh"
},
{
"name": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.1.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.1.0"
},
{
"name": "https://www.gocd.org/releases/#24-1-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#24-1-0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.4.0, \u003c 24.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation.\n\nAttackers could theoretically abuse the query parameter to steal session tokens or other values from the user\u0027s browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context.\n\nThe issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T13:53:30.719Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh"
},
{
"name": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.1.0"
},
{
"name": "https://www.gocd.org/releases/#24-1-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-1-0"
}
],
"source": {
"advisory": "GHSA-q882-q6mm-mgvh",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to reflected Cross-site Scripting possible on server loading page during start-up"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28866",
"datePublished": "2024-05-13T13:53:30.719Z",
"dateReserved": "2024-03-11T22:45:07.687Z",
"dateUpdated": "2024-08-02T00:56:58.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28629 (GCVE-0-2023-28629)
Vulnerability from cvelistv5 – Published: 2023-03-27 20:36 – Updated: 2025-02-19 15:15
VLAI?
Summary
GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm"
},
{
"name": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193"
},
{
"name": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce"
},
{
"name": "https://docs.gocd.org/current/configuration/pipeline_labeling.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gocd.org/current/configuration/pipeline_labeling.html"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:15:06.368099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:15:27.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 23.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim\u0027s browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T20:36:27.329Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm"
},
{
"name": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193"
},
{
"name": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce"
},
{
"name": "https://docs.gocd.org/current/configuration/pipeline_labeling.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gocd.org/current/configuration/pipeline_labeling.html"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"source": {
"advisory": "GHSA-3vvg-gjfr-q9vm",
"discovery": "UNKNOWN"
},
"title": "Stored XSS possible on VSM and Job Details pages via malicious pipeline label configuration in gocd"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28629",
"datePublished": "2023-03-27T20:36:27.329Z",
"dateReserved": "2023-03-20T12:19:47.207Z",
"dateUpdated": "2025-02-19T15:15:27.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28630 (GCVE-0-2023-28630)
Vulnerability from cvelistv5 – Published: 2023-03-27 20:33 – Updated: 2025-02-19 15:18
VLAI?
Summary
GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.
Severity ?
4.2 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv"
},
{
"name": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:18:08.572909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:18:28.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 20.5.0, \u003c 23.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T20:33:48.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv"
},
{
"name": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"source": {
"advisory": "GHSA-p95w-gh78-qjmv",
"discovery": "UNKNOWN"
},
"title": "Sensitive information disclosure possible on misconfigured failed backups of non-H2 databases in gocd"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28630",
"datePublished": "2023-03-27T20:33:48.775Z",
"dateReserved": "2023-03-20T12:19:47.207Z",
"dateUpdated": "2025-02-19T15:18:28.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39311 (GCVE-0-2022-39311)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-04-23 16:49
VLAI?
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
Severity ?
9.1 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.068Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:44.162898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:49:45.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"
},
{
"url": "https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"
},
{
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"source": {
"advisory": "GHSA-2hjh-3p3p-8hcm",
"discovery": "UNKNOWN"
},
"title": "Compromised agents may be able to execute remote code on GoCD Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39311",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:49:45.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39309 (GCVE-0-2022-39309)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-04-23 16:49
VLAI?
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
Severity ?
4.9 (Medium)
CWE
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.1.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:17.902774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:49:57.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-499",
"description": "CWE-499: Serializable Class Containing Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9"
},
{
"url": "https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/21.1.0"
}
],
"source": {
"advisory": "GHSA-f9qg-xcxq-cgv9",
"discovery": "UNKNOWN"
},
"title": "GoCD server secret encryption/decryption key leaked to agents during material serialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39309",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:49:57.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39308 (GCVE-0-2022-39308)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-04-23 16:50
VLAI?
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.
Severity ?
6.5 (Medium)
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/19.11.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#19-11-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:20.518050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:50:02.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.2.0, \u003c 19.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the \"Access Token Management\" admin function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1254",
"description": "CWE-1254: Incorrect Comparison Logic Granularity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq"
},
{
"url": "https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/19.11.0"
},
{
"url": "https://www.gocd.org/releases/#19-11-0"
}
],
"source": {
"advisory": "GHSA-999p-fp84-jcpq",
"discovery": "UNKNOWN"
},
"title": "GoCD API authentication of user access tokens subject to timing attack during comparison"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39308",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:50:02.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39310 (GCVE-0-2022-39310)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-04-23 16:49
VLAI?
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
Severity ?
4.9 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/8877"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:15.446460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:49:51.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq"
},
{
"url": "https://github.com/gocd/gocd/pull/8877"
}
],
"source": {
"advisory": "GHSA-4fp5-33jh-hgcq",
"discovery": "UNKNOWN"
},
"title": "Malicious agent may be able to impersonate another agent in GoCD"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39310",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:49:51.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36088 (GCVE-0-2022-36088)
Vulnerability from cvelistv5 – Published: 2022-09-07 22:55 – Updated: 2025-04-23 17:13
VLAI?
Summary
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.
Severity ?
5 (Medium)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-2-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:01:13.434156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:13:25.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 22.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-07T22:55:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-2-0"
}
],
"source": {
"advisory": "GHSA-gpv4-xqhc-5vcj",
"discovery": "UNKNOWN"
},
"title": "GoCD Windows installations outside default location inadequately restrict installation file permissions",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36088",
"STATE": "PUBLIC",
"TITLE": "GoCD Windows installations outside default location inadequately restrict installation file permissions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003c 22.2.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"name": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/22.2.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"name": "https://www.gocd.org/releases/#22-2-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-2-0"
}
]
},
"source": {
"advisory": "GHSA-gpv4-xqhc-5vcj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36088",
"datePublished": "2022-09-07T22:55:10.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:13:25.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29184 (GCVE-0-2022-29184)
Vulnerability from cvelistv5 – Published: 2022-05-20 19:25 – Updated: 2025-04-23 18:24
VLAI?
Summary
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:53.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:02.382348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:09.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 22.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where \"pipelines-as-code\" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T19:25:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
}
],
"source": {
"advisory": "GHSA-vf5r-r7j2-cf2h",
"discovery": "UNKNOWN"
},
"title": "Command Injection/Argument Injection in GoCD",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29184",
"STATE": "PUBLIC",
"TITLE": "Command Injection/Argument Injection in GoCD"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003c 22.1.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where \"pipelines-as-code\" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/releases/tag/22.1.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"name": "https://www.gocd.org/releases/#22-1-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"name": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
}
]
},
"source": {
"advisory": "GHSA-vf5r-r7j2-cf2h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29184",
"datePublished": "2022-05-20T19:25:14.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:09.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29183 (GCVE-0-2022-29183)
Vulnerability from cvelistv5 – Published: 2022-05-20 19:10 – Updated: 2025-04-23 18:24
VLAI?
Summary
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-4-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:06.082996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:15.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 20.2.0, \u003c 21.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function\u0027s error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T19:10:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-4-0"
}
],
"source": {
"advisory": "GHSA-3vvq-q4qv-x2gf",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in GoCD",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29183",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS in GoCD"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003e= 20.2.0, \u003c 21.4.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function\u0027s error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"name": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/21.4.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"name": "https://www.gocd.org/releases/#21-4-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-4-0"
}
]
},
"source": {
"advisory": "GHSA-3vvq-q4qv-x2gf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29183",
"datePublished": "2022-05-20T19:10:11.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:15.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29182 (GCVE-0-2022-29182)
Vulnerability from cvelistv5 – Published: 2022-05-20 19:05 – Updated: 2025-04-23 18:24
VLAI?
Summary
GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:08.766059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:22.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.11.0, \u003c 22.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run\u0027s Stage Details \u003e Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user\u0027s browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph\u0027s iframe. This could allow an attacker to steal a GoCD user\u0027s session cookies and/or execute malicious code in the user\u0027s context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T19:05:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
}
],
"source": {
"advisory": "GHSA-qcg6-4q44-3589",
"discovery": "UNKNOWN"
},
"title": "DOM-based XSS in GoCD",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29182",
"STATE": "PUBLIC",
"TITLE": "DOM-based XSS in GoCD"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003e= 19.11.0, \u003c 22.1.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run\u0027s Stage Details \u003e Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user\u0027s browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph\u0027s iframe. This could allow an attacker to steal a GoCD user\u0027s session cookies and/or execute malicious code in the user\u0027s context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/releases/tag/22.1.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"name": "https://www.gocd.org/releases/#22-1-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"name": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
}
]
},
"source": {
"advisory": "GHSA-qcg6-4q44-3589",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29182",
"datePublished": "2022-05-20T19:05:12.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:22.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24832 (GCVE-0-2022-24832)
Vulnerability from cvelistv5 – Published: 2022-04-11 20:20 – Updated: 2025-04-23 18:40
VLAI?
Summary
GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.
Severity ?
8.2 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:54:37.374150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:40:54.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 17.5.0, \u003c 22.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-11T20:20:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"source": {
"advisory": "GHSA-x5v3-x9qj-mh3h",
"discovery": "UNKNOWN"
},
"title": "Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24832",
"STATE": "PUBLIC",
"TITLE": "Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003e= 17.5.0, \u003c 22.1.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"name": "https://github.com/gocd/gocd/pull/10244",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"name": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"name": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication",
"refsource": "MISC",
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"name": "https://github.com/gocd/gocd-ldap-authentication-plugin",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"name": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/22.1.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"name": "https://www.gocd.org/releases/#22-1-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-1-0"
}
]
},
"source": {
"advisory": "GHSA-x5v3-x9qj-mh3h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24832",
"datePublished": "2022-04-11T20:20:18.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:40:54.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}