Vulnerabilites related to thoughtworks - gocd
CVE-2024-56320 (GCVE-0-2024-56320)
Vulnerability from cvelistv5
Published
2025-01-03 15:37
Modified
2025-01-03 17:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:51:17.956995Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:51:30.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin \"Configuration XML\" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:48:34.531Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j"
},
{
"name": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-346h-q594-rj8j",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56320",
"datePublished": "2025-01-03T15:37:12.694Z",
"dateReserved": "2024-12-18T23:44:51.603Z",
"dateUpdated": "2025-01-03T17:51:30.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25924 (GCVE-0-2021-25924)
Vulnerability from cvelistv5
Published
2021-04-01 17:58
Modified
2024-08-03 20:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Request Forgery
Summary
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:28.452Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "19.6.0, 19.7.0, 19.8.0, 19.9.0, 19.10.0, 19.11.0, 19.12.0, 20.1.0, 20.2.0, 20.3.0, 20.4.0, 20.5.0, 20.6.0, 20.7.0, 20.8.0, 20.9.0, 20.10.0, 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Request Forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-01T17:58:47",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"ID": "CVE-2021-25924",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "19.6.0, 19.7.0, 19.8.0, 19.9.0, 19.10.0, 19.11.0, 19.12.0, 20.1.0, 20.2.0, 20.3.0, 20.4.0, 20.5.0, 20.6.0, 20.7.0, 20.8.0, 20.9.0, 20.10.0, 21.1.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924,",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924,"
},
{
"name": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25924",
"datePublished": "2021-04-01T17:58:47",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-08-03T20:11:28.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29183 (GCVE-0-2022-29183)
Vulnerability from cvelistv5
Published
2022-05-20 19:10
Modified
2025-04-23 18:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-4-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:06.082996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:15.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 20.2.0, \u003c 21.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function\u0027s error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T19:10:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-4-0"
}
],
"source": {
"advisory": "GHSA-3vvq-q4qv-x2gf",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS in GoCD",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29183",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS in GoCD"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003e= 20.2.0, \u003c 21.4.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function\u0027s error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"name": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/21.4.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"name": "https://www.gocd.org/releases/#21-4-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-4-0"
}
]
},
"source": {
"advisory": "GHSA-3vvq-q4qv-x2gf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29183",
"datePublished": "2022-05-20T19:10:11.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:15.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56322 (GCVE-0-2024-56322)
Vulnerability from cvelistv5
Published
2025-01-03 15:49
Modified
2025-01-03 17:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:09:40.613611Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:10:02.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 16.7.0, \u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:49:48.294Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7"
},
{
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-8xwx-hf68-8xq7",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56322",
"datePublished": "2025-01-03T15:49:48.294Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T17:10:02.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39309 (GCVE-0-2022-39309)
Vulnerability from cvelistv5
Published
2022-10-14 00:00
Modified
2025-04-23 16:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.1.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:17.902774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:49:57.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-499",
"description": "CWE-499: Serializable Class Containing Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9"
},
{
"url": "https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/21.1.0"
}
],
"source": {
"advisory": "GHSA-f9qg-xcxq-cgv9",
"discovery": "UNKNOWN"
},
"title": "GoCD server secret encryption/decryption key leaked to agents during material serialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39309",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:49:57.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56321 (GCVE-0-2024-56321)
Vulnerability from cvelistv5
Published
2025-01-03 15:41
Modified
2025-01-03 17:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T17:49:54.699823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T17:50:41.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 18.9.0, \u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration \"post-backup script\" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD\u0027s user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36: Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:48:22.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq"
},
{
"name": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-7jr3-gh3w-vjxq",
"discovery": "UNKNOWN"
},
"title": "GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56321",
"datePublished": "2025-01-03T15:41:40.737Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T17:50:41.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39308 (GCVE-0-2022-39308)
Vulnerability from cvelistv5
Published
2022-10-14 00:00
Modified
2025-04-23 16:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/19.11.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#19-11-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:20.518050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:50:02.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.2.0, \u003c 19.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the \"Access Token Management\" admin function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208: Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1254",
"description": "CWE-1254: Incorrect Comparison Logic Granularity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq"
},
{
"url": "https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8"
},
{
"url": "https://github.com/gocd/gocd/releases/tag/19.11.0"
},
{
"url": "https://www.gocd.org/releases/#19-11-0"
}
],
"source": {
"advisory": "GHSA-999p-fp84-jcpq",
"discovery": "UNKNOWN"
},
"title": "GoCD API authentication of user access tokens subject to timing attack during comparison"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39308",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:50:02.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43286 (GCVE-0-2021-43286)
Vulnerability from cvelistv5
Published
2022-04-14 12:55
Modified
2024-08-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL \"Test Connection\" feature to execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T12:55:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL \"Test Connection\" feature to execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gocd.org/releases/#21-3-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"name": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42"
},
{
"name": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"
},
{
"name": "https://blog.sonarsource.com/gocd-vulnerability-chain",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43286",
"datePublished": "2022-04-14T12:55:51",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29184 (GCVE-0-2022-29184)
Vulnerability from cvelistv5
Published
2022-05-20 19:25
Modified
2025-04-23 18:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:53.908Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:02.382348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:09.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 22.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where \"pipelines-as-code\" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T19:25:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
}
],
"source": {
"advisory": "GHSA-vf5r-r7j2-cf2h",
"discovery": "UNKNOWN"
},
"title": "Command Injection/Argument Injection in GoCD",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29184",
"STATE": "PUBLIC",
"TITLE": "Command Injection/Argument Injection in GoCD"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003c 22.1.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where \"pipelines-as-code\" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/releases/tag/22.1.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"name": "https://www.gocd.org/releases/#22-1-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"name": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
}
]
},
"source": {
"advisory": "GHSA-vf5r-r7j2-cf2h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29184",
"datePublished": "2022-05-20T19:25:14.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:09.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43289 (GCVE-0-2021-43289)
Vulnerability from cvelistv5
Published
2022-04-14 12:55
Modified
2024-08-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T12:55:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43289",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gocd.org/releases/#21-3-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"name": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"name": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"name": "https://blog.sonarsource.com/gocd-vulnerability-chain",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43289",
"datePublished": "2022-04-14T12:55:29",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29182 (GCVE-0-2022-29182)
Vulnerability from cvelistv5
Published
2022-05-20 19:05
Modified
2025-04-23 18:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:08.766059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:24:22.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.11.0, \u003c 22.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run\u0027s Stage Details \u003e Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user\u0027s browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph\u0027s iframe. This could allow an attacker to steal a GoCD user\u0027s session cookies and/or execute malicious code in the user\u0027s context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T19:05:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
}
],
"source": {
"advisory": "GHSA-qcg6-4q44-3589",
"discovery": "UNKNOWN"
},
"title": "DOM-based XSS in GoCD",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29182",
"STATE": "PUBLIC",
"TITLE": "DOM-based XSS in GoCD"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003e= 19.11.0, \u003c 22.1.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run\u0027s Stage Details \u003e Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user\u0027s browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph\u0027s iframe. This could allow an attacker to steal a GoCD user\u0027s session cookies and/or execute malicious code in the user\u0027s context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/releases/tag/22.1.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"name": "https://www.gocd.org/releases/#22-1-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"name": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
}
]
},
"source": {
"advisory": "GHSA-qcg6-4q44-3589",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29182",
"datePublished": "2022-05-20T19:05:12.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:24:22.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44659 (GCVE-0-2021-44659)
Vulnerability from cvelistv5
Published
2021-12-22 17:27
Modified
2024-08-04 04:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:25:16.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Mesh3l911/CVE-2021-44659"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://youtu.be/WW_a3znugl0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor\u0027s position is that the observed behavior is not a vulnerability, because the product\u0027s design allows an admin to configure outbound requests"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-09T16:23:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mesh3l911/CVE-2021-44659"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://youtu.be/WW_a3znugl0"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-44659",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor\u0027s position is that the observed behavior is not a vulnerability, because the product\u0027s design allows an admin to configure outbound requests."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gocd.org/",
"refsource": "MISC",
"url": "https://www.gocd.org/"
},
{
"name": "https://github.com/gocd/gocd",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd"
},
{
"name": "https://github.com/Mesh3l911/CVE-2021-44659",
"refsource": "MISC",
"url": "https://github.com/Mesh3l911/CVE-2021-44659"
},
{
"name": "https://youtu.be/WW_a3znugl0",
"refsource": "MISC",
"url": "https://youtu.be/WW_a3znugl0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-44659",
"datePublished": "2021-12-22T17:27:00",
"dateReserved": "2021-12-06T00:00:00",
"dateUpdated": "2024-08-04T04:25:16.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43287 (GCVE-0-2021-43287)
Vulnerability from cvelistv5
Published
2022-04-14 11:52
Modified
2024-08-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.492Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T11:52:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43287",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gocd.org/releases/#21-3-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"name": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c"
},
{
"name": "https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43287",
"datePublished": "2022-04-14T11:52:39",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56324 (GCVE-0-2024-56324)
Vulnerability from cvelistv5
Published
2025-01-03 15:56
Modified
2025-01-03 18:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T18:04:54.319891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T18:05:04.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 24.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one\u0027s \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one\u0027s GoCD server to arbitrary locations using some kind of environment egress control."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T15:56:52.174Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"
},
{
"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"name": "https://www.gocd.org/releases/#24-5-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"source": {
"advisory": "GHSA-3w9f-fgr5-5g78",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to XXE injection via abuse of pipeline XML \"snippet\" editing by group admins"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56324",
"datePublished": "2025-01-03T15:56:52.174Z",
"dateReserved": "2024-12-18T23:44:51.604Z",
"dateUpdated": "2025-01-03T18:05:04.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36088 (GCVE-0-2022-36088)
Vulnerability from cvelistv5
Published
2022-09-07 22:55
Modified
2025-04-23 17:13
Severity ?
VLAI Severity ?
EPSS score ?
Summary
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-2-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:01:13.434156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:13:25.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 22.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-07T22:55:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-2-0"
}
],
"source": {
"advisory": "GHSA-gpv4-xqhc-5vcj",
"discovery": "UNKNOWN"
},
"title": "GoCD Windows installations outside default location inadequately restrict installation file permissions",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36088",
"STATE": "PUBLIC",
"TITLE": "GoCD Windows installations outside default location inadequately restrict installation file permissions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003c 22.2.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-269: Improper Privilege Management"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"name": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/22.2.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"name": "https://www.gocd.org/releases/#22-2-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-2-0"
}
]
},
"source": {
"advisory": "GHSA-gpv4-xqhc-5vcj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36088",
"datePublished": "2022-09-07T22:55:10.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:13:25.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28866 (GCVE-0-2024-28866)
Vulnerability from cvelistv5
Published
2024-05-13 13:53
Modified
2024-08-02 00:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation.
Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context.
The issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity).
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28866",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-13T17:15:21.009341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:33.107Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh"
},
{
"name": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.1.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.1.0"
},
{
"name": "https://www.gocd.org/releases/#24-1-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#24-1-0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 19.4.0, \u003c 24.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation.\n\nAttackers could theoretically abuse the query parameter to steal session tokens or other values from the user\u0027s browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context.\n\nThe issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-13T13:53:30.719Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh"
},
{
"name": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/24.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.1.0"
},
{
"name": "https://www.gocd.org/releases/#24-1-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#24-1-0"
}
],
"source": {
"advisory": "GHSA-q882-q6mm-mgvh",
"discovery": "UNKNOWN"
},
"title": "GoCD vulnerable to reflected Cross-site Scripting possible on server loading page during start-up"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28866",
"datePublished": "2024-05-13T13:53:30.719Z",
"dateReserved": "2024-03-11T22:45:07.687Z",
"dateUpdated": "2024-08-02T00:56:58.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39311 (GCVE-0-2022-39311)
Vulnerability from cvelistv5
Published
2022-10-14 00:00
Modified
2025-04-23 16:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.068Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39311",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:44.162898Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:49:45.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"
},
{
"url": "https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"
},
{
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"source": {
"advisory": "GHSA-2hjh-3p3p-8hcm",
"discovery": "UNKNOWN"
},
"title": "Compromised agents may be able to execute remote code on GoCD Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39311",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:49:45.317Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43290 (GCVE-0-2021-43290)
Vulnerability from cvelistv5
Published
2022-04-14 12:55
Modified
2024-08-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can\u0027t control."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T12:55:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43290",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can\u0027t control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gocd.org/releases/#21-3-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"name": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"name": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"name": "https://blog.sonarsource.com/gocd-vulnerability-chain",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43290",
"datePublished": "2022-04-14T12:55:19",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28629 (GCVE-0-2023-28629)
Vulnerability from cvelistv5
Published
2023-03-27 20:36
Modified
2025-02-19 15:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.219Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm"
},
{
"name": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193"
},
{
"name": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce"
},
{
"name": "https://docs.gocd.org/current/configuration/pipeline_labeling.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gocd.org/current/configuration/pipeline_labeling.html"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28629",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:15:06.368099Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:15:27.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 23.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim\u0027s browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T20:36:27.329Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm"
},
{
"name": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193"
},
{
"name": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce"
},
{
"name": "https://docs.gocd.org/current/configuration/pipeline_labeling.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gocd.org/current/configuration/pipeline_labeling.html"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"source": {
"advisory": "GHSA-3vvg-gjfr-q9vm",
"discovery": "UNKNOWN"
},
"title": "Stored XSS possible on VSM and Job Details pages via malicious pipeline label configuration in gocd"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28629",
"datePublished": "2023-03-27T20:36:27.329Z",
"dateReserved": "2023-03-20T12:19:47.207Z",
"dateUpdated": "2025-02-19T15:15:27.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43288 (GCVE-0-2021-43288)
Vulnerability from cvelistv5
Published
2022-04-14 12:55
Modified
2024-08-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:27.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-14T12:55:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43288",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gocd.org/releases/#21-3-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"name": "https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"
},
{
"name": "https://blog.sonarsource.com/gocd-vulnerability-chain",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43288",
"datePublished": "2022-04-14T12:55:37",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:27.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28630 (GCVE-0-2023-28630)
Vulnerability from cvelistv5
Published
2023-03-27 20:33
Modified
2025-02-19 15:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Summary
GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv"
},
{
"name": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T15:18:08.572909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T15:18:28.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 20.5.0, \u003c 23.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T20:33:48.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv"
},
{
"name": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/23.1.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"name": "https://www.gocd.org/releases/#23-1-0",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"source": {
"advisory": "GHSA-p95w-gh78-qjmv",
"discovery": "UNKNOWN"
},
"title": "Sensitive information disclosure possible on misconfigured failed backups of non-H2 databases in gocd"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28630",
"datePublished": "2023-03-27T20:33:48.775Z",
"dateReserved": "2023-03-20T12:19:47.207Z",
"dateUpdated": "2025-02-19T15:18:28.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24832 (GCVE-0-2022-24832)
Vulnerability from cvelistv5
Published
2022-04-11 20:20
Modified
2025-04-23 18:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:54:37.374150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:40:54.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003e= 17.5.0, \u003c 22.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-11T20:20:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"source": {
"advisory": "GHSA-x5v3-x9qj-mh3h",
"discovery": "UNKNOWN"
},
"title": "Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24832",
"STATE": "PUBLIC",
"TITLE": "Bundled ldap-authentication-plugin fails to neutralise LDAP special elements in usernames"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gocd",
"version": {
"version_data": [
{
"version_value": "\u003e= 17.5.0, \u003c 22.1.0"
}
]
}
}
]
},
"vendor_name": "gocd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h",
"refsource": "CONFIRM",
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"name": "https://github.com/gocd/gocd/pull/10244",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"name": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"name": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication",
"refsource": "MISC",
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"name": "https://github.com/gocd/gocd-ldap-authentication-plugin",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"name": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"name": "https://github.com/gocd/gocd/releases/tag/22.1.0",
"refsource": "MISC",
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"name": "https://www.gocd.org/releases/#22-1-0",
"refsource": "MISC",
"url": "https://www.gocd.org/releases/#22-1-0"
}
]
},
"source": {
"advisory": "GHSA-x5v3-x9qj-mh3h",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24832",
"datePublished": "2022-04-11T20:20:18.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:40:54.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39310 (GCVE-0-2022-39310)
Vulnerability from cvelistv5
Published
2022-10-14 00:00
Modified
2025-04-23 16:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/gocd/gocd/pull/8877"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39310",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:56:15.446460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:49:51.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gocd",
"vendor": "gocd",
"versions": [
{
"status": "affected",
"version": "\u003c 21.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-14T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq"
},
{
"url": "https://github.com/gocd/gocd/pull/8877"
}
],
"source": {
"advisory": "GHSA-4fp5-33jh-hgcq",
"discovery": "UNKNOWN"
},
"title": "Malicious agent may be able to impersonate another agent in GoCD"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39310",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:49:51.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-04-14 13:15
Modified
2024-11-21 06:29
Severity ?
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96C28DAA-9A8B-46E3-9443-656B378A26D8",
"versionEndExcluding": "21.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL \"Test Connection\" feature to execute arbitrary code."
},
{
"lang": "es",
"value": "Se ha detectado un problema en ThoughtWorks GoCD versiones anteriores a 21.3.0. Un atacante con privilegios para crear un nuevo pipeline en un servidor GoCD puede abusar de una inyecci\u00f3n de l\u00ednea de comandos en la funci\u00f3n \"Test Connection\" de Git URL para ejecutar c\u00f3digo arbitrario"
}
],
"id": "CVE-2021-43286",
"lastModified": "2024-11-21T06:29:00.260",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T13:15:11.417",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/2b77b533abcbb79c8fc758dec9984305dc1ade42"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/6fa9fb7a7c91e760f1adc2593acdd50f2d78676b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-14 13:15
Modified
2024-11-21 06:29
Severity ?
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4 | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96C28DAA-9A8B-46E3-9443-656B378A26D8",
"versionEndExcluding": "21.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report."
},
{
"lang": "es",
"value": "Se ha detectado un problema en ThoughtWorks GoCD versiones anteriores a 21.3.0. Un atacante que tenga el control de un agente GoCD puede plantar JavaScript malicioso en un informe de trabajo fallido"
}
],
"id": "CVE-2021-43288",
"lastModified": "2024-11-21T06:29:00.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T13:15:11.460",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/f5c1d2aa9ab302a97898a6e4b16218e64fe8e9e4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-14 20:15
Modified
2024-11-21 07:18
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE600F59-5CB0-4E7F-B58F-16121BF8F61E",
"versionEndExcluding": "21.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. GoCD le ayuda a automatizar y agilizar el ciclo de construcci\u00f3n-prueba-lanzamiento para la entrega continua de su producto. Las versiones de GoCD anteriores a 21.1.0 filtran la clave sim\u00e9trica usada para cifrar/descifrar cualquier variable/secreto seguro en la configuraci\u00f3n de GoCD a los agentes autenticados. Un agente malicioso/comprometido puede entonces exponer esa clave desde la memoria, y potencialmente permitir a un atacante la capacidad de descifrar secretos destinados a otros agentes/entornos si tambi\u00e9n son capaces de obtener acceso a los valores de configuraci\u00f3n cifrados del servidor GoCD. Este problema ha sido corregido en GoCD versi\u00f3n 21.1.0. Actualmente no se presentan mitigaciones\n"
}
],
"id": "CVE-2022-39309",
"lastModified": "2024-11-21T07:18:00.317",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-14T20:15:15.553",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-499"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-14 13:15
Modified
2024-11-21 06:29
Severity ?
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96C28DAA-9A8B-46E3-9443-656B378A26D8",
"versionEndExcluding": "21.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can\u0027t control."
},
{
"lang": "es",
"value": "Se ha detectado un problema en ThoughtWorks GoCD versiones anteriores a 21.3.0. Un atacante que haya comprometido un agente GoCD puede cargar un archivo malicioso en un directorio de un servidor GoCD. Pueden controlar el nombre del archivo, pero el directorio es colocado dentro de un directorio que no pueden controlar"
}
],
"id": "CVE-2021-43290",
"lastModified": "2024-11-21T06:29:00.920",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T13:15:11.540",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-11 21:15
Modified
2024-11-21 06:51
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99BD6223-23F8-429D-AE5F-F59FCAFD0231",
"versionEndExcluding": "22.1.0",
"versionStartIncluding": "17.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua de c\u00f3digo abierto. El complemento gocd-ldap-authentication-plugin incluido en el servidor GoCD no escapa correctamente los caracteres especiales cuando es usado el nombre de usuario para construir consultas LDAP. Mientras que esto no permite directamente la exfiltraci\u00f3n arbitraria de datos LDAP, puede permitir que un usuario existente de GoCD autenticado por LDAP con intenciones maliciosas construya y ejecute consultas maliciosas, permiti\u00e9ndole deducir hechos sobre otros usuarios o entradas dentro de la base de datos LDAP (por ejemplo, campos alternativos, nombres de usuario, contrase\u00f1as con hash, etc.) mediante mecanismos de fuerza bruta. Esto s\u00f3lo afecta a usuarios que presentan una configuraci\u00f3n de autorizaci\u00f3n LDAP habilitada en su servidor GoCD, y s\u00f3lo es explotable por usuarios que son autenticados usando dicha configuraci\u00f3n LDAP. Este problema ha sido corregido en versi\u00f3n 22.1.0 de GoCD, que es incluida con el complemento gocd-ldap-authentication-plugin versi\u00f3n v2.2.0-144"
}
],
"id": "CVE-2022-24832",
"lastModified": "2024-11-21T06:51:11.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-11T21:15:08.570",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/pull/10244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-03 16:15
Modified
2025-08-01 19:22
Severity ?
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82991491-8373-474D-95B9-F1F305632610",
"versionEndExcluding": "24.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one\u0027s \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one\u0027s GoCD server to arbitrary locations using some kind of environment egress control."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. Las versiones de GoCD anteriores a la 24.4.0 pueden permitir que los \"administradores de grupo\" de GoCD abusen de la capacidad de editar la configuraci\u00f3n XML sin procesar de los grupos que administran para activar la inyecci\u00f3n de entidad externa XML (XXE) en el servidor de GoCD. En teor\u00eda, la vulnerabilidad XXE puede dar lugar a ataques adicionales, como SSRF, divulgaci\u00f3n de informaci\u00f3n desde el servidor de GoCD y navegaci\u00f3n de directorios, aunque no se ha demostrado expl\u00edcitamente que estos ataques adicionales sean explotables. Este problema se solucion\u00f3 en GoCD 24.5.0. Hay algunas workarounds disponibles. Se puede bloquear temporalmente el acceso a las rutas `/go/*/pipelines/snippet` desde un proxy inverso externo o WAF si los usuarios \"administradores de grupo\" no necesitan la funcionalidad para editar el XML de las canalizaciones directamente (en lugar de usar la interfaz de usuario o un repositorio de configuraci\u00f3n). Tambi\u00e9n se puede impedir el acceso externo desde el servidor de GoCD a ubicaciones arbitrarias utilizando alg\u00fan tipo de control de salida del entorno."
}
],
"id": "CVE-2024-56324",
"lastModified": "2025-08-01T19:22:23.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-03T16:15:26.643",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-27 21:15
Modified
2024-11-21 07:55
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79B56F88-BE21-4ED0-A079-DFD2EF0D8E54",
"versionEndExcluding": "23.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim\u0027s browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"id": "CVE-2023-28629",
"lastModified": "2024-11-21T07:55:41.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-27T21:15:12.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://docs.gocd.org/current/configuration/pipeline_labeling.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#23-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://docs.gocd.org/current/configuration/pipeline_labeling.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-20 20:15
Modified
2024-11-21 06:58
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/releases/tag/22.1.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h | Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#22-1-0 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/releases/tag/22.1.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#22-1-0 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B80FC31B-2CF2-4DE9-8ADB-ADEA24124ABB",
"versionEndExcluding": "22.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where \"pipelines-as-code\" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. En GoCD versiones anteriores a 22.1.0, es posible que los usuarios autenticados existentes que presentan permisos para editar o crear materiales de canalizaci\u00f3n o repositorios de configuraci\u00f3n de canalizaci\u00f3n obtengan la capacidad de ejecuci\u00f3n de c\u00f3digo remota en el servidor GoCD por medio de la configuraci\u00f3n de un nombre de rama malicioso que abusa de los ganchos/aliases de Mercurial para explotar una debilidad de inyecci\u00f3n de comandos. Un atacante necesitar\u00eda acceder a una cuenta con permisos de administraci\u00f3n de GoCD para crear/editar repositorios de configuraci\u00f3n (basados en \"hg\"); crear/editar pipelines y sus materiales (basados en \"hg\"); o, cuando son usados repositorios de configuraci\u00f3n \"pipelines-as-code\", enviar una configuraci\u00f3n maliciosa a dicho repositorio externo que ser\u00e1 analizada autom\u00e1ticamente en una configuraci\u00f3n de pipeline y una definici\u00f3n de material (\"hg\") por el servidor GoCD. Este problema ha sido corregido en GoCD versi\u00f3n 22.1.0. Como mitigaci\u00f3n, los usuarios que no usan/dependen de los materiales Mercurial pueden desinstalar/eliminar el binario \"hg\"/Mercurial del sistema operativo subyacente del servidor GoCD o de la imagen Docker"
}
],
"id": "CVE-2022-29184",
"lastModified": "2024-11-21T06:58:39.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-20T20:15:10.073",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
},
{
"lang": "en",
"value": "CWE-88"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-14 20:15
Modified
2024-11-21 07:18
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/pull/8877 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq | Patch, Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#21-1-0 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/pull/8877 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-1-0 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE600F59-5CB0-4E7F-B58F-16121BF8F61E",
"versionEndExcluding": "21.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. GoCD le ayuda a automatizar y agilizar el ciclo de construcci\u00f3n-prueba-lanzamiento para la entrega continua de su producto. Las versiones de GoCD anteriores a 21.1.0 pueden permitir a un agente autenticado hacerse pasar por otro agente y, por lo tanto, reciba paquetes de trabajo para otros agentes debido a un control de acceso roto y a una comprobaci\u00f3n incorrecta de los tokens de los agentes dentro del servidor de GoCD. Dado que los paquetes de trabajo pueden contener informaci\u00f3n confidencial, como credenciales destinadas \u00fanicamente a un trabajo determinado que es ejecutado en un entorno de agente espec\u00edfico, esto puede causar la divulgaci\u00f3n accidental de informaci\u00f3n. La explotaci\u00f3n requiere el conocimiento de los identificadores del agente y la capacidad de autenticarse como un agente existente con el servidor GoCD. Este problema ha sido corregido en GoCD versi\u00f3n 21.1.0. Actualmente no se presentan mitigaciones conocidas"
}
],
"id": "CVE-2022-39310",
"lastModified": "2024-11-21T07:18:00.447",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-14T20:15:16.053",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/pull/8877"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/pull/8877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-14 15:14
Modified
2025-08-04 14:43
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation.
Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context.
The issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BB483AE-9612-4D05-8063-02C45F8700B2",
"versionEndExcluding": "24.1.0",
"versionStartIncluding": "19.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation.\n\nAttackers could theoretically abuse the query parameter to steal session tokens or other values from the user\u0027s browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context.\n\nThe issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity)."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. Las versiones de GoCD de 19.4.0 a 23.5.0 (incluida) son potencialmente vulnerables a una vulnerabilidad de Cross Site Scripting reflejado en la p\u00e1gina de carga que se muestra mientras se inicia GoCD, a trav\u00e9s del abuso de un par\u00e1metro de consulta `redirect_to` con validaci\u00f3n inadecuada. En teor\u00eda, los atacantes podr\u00edan abusar del par\u00e1metro de consulta para robar tokens de sesi\u00f3n u otros valores del navegador del usuario. En la pr\u00e1ctica, explotar esto para realizar acciones privilegiadas probablemente sea bastante dif\u00edcil de explotar porque el usuario objetivo necesitar\u00eda ser activado para abrir un enlace creado por el atacante en el per\u00edodo en el que el servidor se est\u00e1 iniciando (pero no completamente iniciado), lo que requiere encadenamiento con un vulnerabilidad de denegaci\u00f3n de servicio separada. Adem\u00e1s, los reinicios del servidor GoCD invalidan los tokens de sesi\u00f3n anteriores (es decir, GoCD no admite sesiones persistentes), por lo que un token de sesi\u00f3n robado quedar\u00eda inutilizable una vez que el servidor haya completado el reinicio, y el XSS ejecutado se realizar\u00eda dentro de un contexto de cierre de sesi\u00f3n. El problema se solucion\u00f3 en GoCD 24.1.0. Como workaround, es t\u00e9cnicamente posible en versiones anteriores de GoCD anular la p\u00e1gina de carga con una versi\u00f3n anterior que no sea vulnerable, iniciando GoCD con la propiedad del sistema Java anulada como `-Dloading.page.resource.path=/loading_pages/ default.loading.page.html` (versi\u00f3n inicial m\u00e1s simple de la p\u00e1gina de carga sin introducci\u00f3n de GoCD) o `-Dloading.page.resource.path=/does_not_exist.html` (para mostrar un mensaje simple sin interactividad)."
}
],
"id": "CVE-2024-28866",
"lastModified": "2025-08-04T14:43:31.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-14T15:14:46.727",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#24-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#24-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-27 21:15
Modified
2024-11-21 07:55
Severity ?
4.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29DC9E78-250A-4C59-966F-95C32E409D3E",
"versionEndExcluding": "23.1.0",
"versionStartIncluding": "20.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required `pg_dump` (PostgreSQL) or `mysqldump` (MySQL) binaries are available on the GoCD server when backups are triggered."
}
],
"id": "CVE-2023-28630",
"lastModified": "2024-11-21T07:55:42.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-27T21:15:12.543",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#23-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/23.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#23-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-07 23:15
Modified
2024-11-21 07:12
Severity ?
5.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/releases/tag/22.2.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj | Mitigation, Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#22-2-0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/releases/tag/22.2.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#22-2-0 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "970CAC84-EF89-47E2-B692-DE3CF011135A",
"versionEndExcluding": "22.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. Las instalaciones de Windows por medio de los instaladores del servidor o del agente para GoCD versiones anteriores a 22.2.0, no restringen apropiadamente los permisos cuando son instalados fuera de la ubicaci\u00f3n predeterminada. Esto podr\u00eda permitir a un usuario malicioso con acceso local al servidor en el que es instalado el servidor o el agente de GoCD modificar los ejecutables o los componentes de la instalaci\u00f3n. Esto no afecta a instalaciones basadas en archivos zip, a instalaciones en otras plataformas ni a instalaciones dentro de \"Program Files\" or \"Program Files (x86)\". Este problema ha sido corregido en los instaladores de GoCD versi\u00f3n 22.2.0. Como mitigaci\u00f3n, si el servidor o el agente es instalado fuera de \"Program Files (x86)\", compruebe los permisos del directorio de instalaci\u00f3n del servidor o del agente para asegurarse de que el grupo de usuarios \"Everyone\" no presenta permisos de \"Full Control\", \"Modify\" o \"Write\""
}
],
"id": "CVE-2022-36088",
"lastModified": "2024-11-21T07:12:21.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-07T23:15:14.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.gocd.org/releases/#22-2-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://www.gocd.org/releases/#22-2-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
},
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-14 19:15
Modified
2024-11-21 07:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/releases/tag/19.11.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq | Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#19-11-0 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/releases/tag/19.11.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#19-11-0 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E01CC28F-6249-4F22-813A-C33F5261EF47",
"versionEndExcluding": "19.11.0",
"versionStartIncluding": "19.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the \"Access Token Management\" admin function."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. GoCD le ayuda a automatizar y agilizar el ciclo de construcci\u00f3n-prueba-lanzamiento para la entrega continua de su producto. Las versiones de GoCD desde la 19.2.0 hasta 19.10.0 (incluy\u00e9ndola) est\u00e1n sujetas a un ataque de tiempo en la comprobaci\u00f3n de tokens de acceso debido al uso de la comparaci\u00f3n de cadenas regulares para la comprobaci\u00f3n del token en lugar de un algoritmo de tiempo constante. Esto podr\u00eda permitir un ataque de fuerza bruta en las llamadas a la API del servidor de GoCD para observar las diferencias de tiempo en las validaciones con el fin de adivinar un token de acceso generado por un usuario para acceder a la API. Este problema ha sido corregido en GoCD versi\u00f3n 19.11.0. Como mitigaci\u00f3n, los usuarios pueden aplicar una limitaci\u00f3n de velocidad o insertar retrasos aleatorios en las llamadas a la API realizadas al servidor GoCD por medio de un proxy inverso u otro servidor web de fachada. Otra mitigaci\u00f3n es que los usuarios no permitan el uso de tokens de acceso por parte de los usuarios haciendo que un administrador revoque todos los tokens de acceso mediante de la funci\u00f3n de administraci\u00f3n \"Access Token Management\""
}
],
"id": "CVE-2022-39308",
"lastModified": "2024-11-21T07:18:00.193",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-14T19:15:18.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/19.11.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#19-11-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/19.11.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#19-11-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-208"
},
{
"lang": "en",
"value": "CWE-1254"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-697"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-14 12:15
Modified
2024-11-21 06:29
Severity ?
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96C28DAA-9A8B-46E3-9443-656B378A26D8",
"versionEndExcluding": "21.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers."
},
{
"lang": "es",
"value": "Se ha detectado un problema en ThoughtWorks GoCD versiones anteriores a 21.3.0. El complemento de continuidad del negocio, que est\u00e1 habilitado por defecto, filtra todos los secretos conocidos por el servidor GoCD a atacantes no autenticados"
}
],
"id": "CVE-2021-43287",
"lastModified": "2024-11-21T06:29:00.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T12:15:07.717",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/41abc210ac4e8cfa184483c9ff1c0cc04fb3511c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-20 19:15
Modified
2024-11-21 06:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1 | Patch | |
| security-advisories@github.com | https://github.com/gocd/gocd/releases/tag/21.4.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf | Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#21-4-0 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/releases/tag/21.4.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-4-0 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9206D570-5BB9-4A11-81AB-21F49B2E10FB",
"versionEndExcluding": "21.4.0",
"versionStartIncluding": "20.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function\u0027s error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. GoCD versiones 20.2.0 hasta 21.4.0, son vulnerables a un ataque de tipo cross-site scripting reflejado por medio del abuso del manejo de errores de la funci\u00f3n de comparaci\u00f3n de pipeline para renderizar HTML arbitrario en la p\u00e1gina devuelta. Esto podr\u00eda permitir a un atacante enga\u00f1ar a una v\u00edctima para que ejecute un c\u00f3digo que le permitir\u00eda operar o conseguir el control de los mismos recursos a los que la v\u00edctima ten\u00eda acceso. Este problema ha sido corregido en GoCD versi\u00f3n 21.4.0. Como mitigaci\u00f3n, bloquee el acceso a \"/go/compare/.*\" antes del servidor GoCD por medio de un proxy inverso, un firewall de aplicaciones web o un equivalente, lo que impedir\u00eda el uso de la funci\u00f3n de comparaci\u00f3n de pipeline"
}
],
"id": "CVE-2022-29183",
"lastModified": "2024-11-21T06:58:39.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-20T19:15:08.333",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-4-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/21.4.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-4-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-03 16:15
Modified
2025-08-01 19:24
Severity ?
Summary
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A810379-5DD5-4A23-8C3D-A43D6CF8BBF9",
"versionEndExcluding": "24.5.0",
"versionStartIncluding": "16.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. Las versiones de GoCD 16.7.0 a 24.4.0 (incluida) pueden permitir que los administradores de GoCD abusen de una caracter\u00edstica oculta/no utilizada del repositorio de configuraci\u00f3n (canalizaciones como c\u00f3digo) para permitir la inyecci\u00f3n de XML External Entity (XXE) en el servidor de GoCD, que se ejecutar\u00e1 cuando GoCD escanee peri\u00f3dicamente los repositorios de configuraci\u00f3n en busca de actualizaciones de canalizaciones, o sea activada por un administrador o administrador del repositorio de configuraci\u00f3n. En la pr\u00e1ctica, el impacto de esta vulnerabilidad es limitado, en la mayor\u00eda de los casos sin combinarse con otra vulnerabilidad, ya que solo los administradores (super) de GoCD tienen la capacidad de aprovechar esta vulnerabilidad. Por lo general, un administrador malintencionado de GoCD puede causar un da\u00f1o mucho mayor que el que puede causar con la inyecci\u00f3n de XXE. El problema se solucion\u00f3 en GoCD 24.5.0. Como workaround, evite el acceso externo desde el servidor de GoCD a ubicaciones arbitrarias utilizando alg\u00fan tipo de control de salida del entorno."
}
],
"id": "CVE-2024-56322",
"lastModified": "2025-08-01T19:24:56.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-03T16:15:26.480",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-03 16:15
Modified
2025-08-01 20:09
Severity ?
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82991491-8373-474D-95B9-F1F305632610",
"versionEndExcluding": "24.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin \"Configuration XML\" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. Las versiones de GoCD anteriores a la 24.5.0 son vulnerables a la escalada de privilegios de administrador debido a la autorizaci\u00f3n incorrecta del acceso a la funci\u00f3n de interfaz de usuario \"XML de configuraci\u00f3n\" del administrador y su API asociada. Un usuario interno malintencionado o un usuario autenticado existente de GoCD con una cuenta de usuario de GoCD existente podr\u00eda aprovechar esta vulnerabilidad para acceder a informaci\u00f3n destinada \u00fanicamente a los administradores de GoCD o para escalar sus privilegios a los de un administrador de GoCD de manera persistente. No es posible que se abuse de esta vulnerabilidad antes de la autenticaci\u00f3n o el inicio de sesi\u00f3n. El problema se solucion\u00f3 en GoCD 24.5.0. Los usuarios de GoCD que no pueden realizar una actualizaci\u00f3n inmediata pueden mitigar este problema utilizando un proxy inverso, WAF o similar para bloquear externamente las rutas de acceso con un prefijo `/go/rails/`. El bloqueo de esta ruta no provoca ninguna p\u00e9rdida de funcionalidad. Si no es posible actualizar o bloquear la ruta anterior, considere reducir la base de usuarios de GoCD a un conjunto de usuarios m\u00e1s confiable, incluida la desactivaci\u00f3n temporal del uso de complementos como el complemento de inicio de sesi\u00f3n de invitado, que permite un acceso an\u00f3nimo limitado como una cuenta de usuario normal."
}
],
"id": "CVE-2024-56320",
"lastModified": "2025-08-01T20:09:15.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-03T16:15:26.180",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-12-22 18:15
Modified
2024-11-21 06:31
Severity ?
Summary
Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requests
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Mesh3l911/CVE-2021-44659 | Broken Link, Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd | Product, Third Party Advisory | |
| cve@mitre.org | https://www.gocd.org/ | Product, Vendor Advisory | |
| cve@mitre.org | https://youtu.be/WW_a3znugl0 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Mesh3l911/CVE-2021-44659 | Broken Link, Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/ | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://youtu.be/WW_a3znugl0 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | 21.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:21.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4DA8CF32-3DBE-452D-9FCD-861A6164F4B5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor\u0027s position is that the observed behavior is not a vulnerability, because the product\u0027s design allows an admin to configure outbound requests"
},
{
"lang": "es",
"value": "**EN DISPUTA** La adici\u00f3n de una nueva tuber\u00eda en GoCD server versi\u00f3n 21.3.0, presenta una funcionalidad que podr\u00eda ser abusada para realizar una acci\u00f3n no intencionada con el fin de lograr un ataque de tipo Server Side Request Forgery (SSRF). NOTA: la posici\u00f3n del proveedor es que el comportamiento observado no es una vulnerabilidad, porque el dise\u00f1o del producto permite que un administrador configure las solicitudes de salida"
}
],
"id": "CVE-2021-44659",
"lastModified": "2024-11-21T06:31:20.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-22T18:15:08.013",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Mesh3l911/CVE-2021-44659"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.gocd.org/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/WW_a3znugl0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Mesh3l911/CVE-2021-44659"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.gocd.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://youtu.be/WW_a3znugl0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-14 13:15
Modified
2024-11-21 06:29
Severity ?
Summary
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f | Patch, Third Party Advisory | |
| cve@mitre.org | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/gocd-vulnerability-chain | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-3-0 | Issue Tracking, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96C28DAA-9A8B-46E3-9443-656B378A26D8",
"versionEndExcluding": "21.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename."
},
{
"lang": "es",
"value": "Se ha detectado un problema en ThoughtWorks GoCD versiones anteriores a 21.3.0. Un atacante que haya comprometido un agente GoCD puede cargar un archivo malicioso en un directorio arbitrario de un servidor GoCD, pero no controla el nombre del archivo"
}
],
"id": "CVE-2021-43289",
"lastModified": "2024-11-21T06:29:00.767",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-14T13:15:11.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/gocd-vulnerability-chain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/4c4bb4780eb0d3fc4cacfc4cfcc0b07e2eaf0595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/c22e0428164af25d3e91baabd3f538a41cadc82f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-3-0"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-14 20:15
Modified
2024-11-21 07:18
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm | Patch, Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#21-1-0 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#21-1-0 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE600F59-5CB0-4E7F-B58F-16121BF8F61E",
"versionEndExcluding": "21.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. GoCD le ayuda a automatizar y agilizar el ciclo de construcci\u00f3n-prueba-lanzamiento para la entrega continua de su producto. Las versiones de GoCD anteriores a la 21.1.0 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo en el servidor desde un agente malicioso o comprometido. El endpoint de Spring RemoteInvocation expon\u00eda la comunicaci\u00f3n con el agente y permit\u00eda la deserializaci\u00f3n de objetos java arbitrarios, as\u00ed como la posterior ejecuci\u00f3n de c\u00f3digo remoto. La explotaci\u00f3n requiere autenticaci\u00f3n a nivel de agente, por lo que un atacante necesitar\u00eda comprometer un agente existente, su comunicaci\u00f3n de red o registrar un nuevo agente para explotar pr\u00e1cticamente esta vulnerabilidad. Este problema ha sido corregido en GoCD versi\u00f3n 21.1.0. Actualmente no se presentan mitigaciones conocidas"
}
],
"id": "CVE-2022-39311",
"lastModified": "2024-11-21T07:18:00.563",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-14T20:15:16.183",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#21-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-04-01 18:15
Modified
2024-11-21 05:55
Severity ?
Summary
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89B93525-69E5-40CF-BBC6-0D5608C7783C",
"versionEndExcluding": "21.2.0",
"versionStartIncluding": "19.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field."
},
{
"lang": "es",
"value": "En GoCD, versiones 19.6.0 hasta 21.1.0, son vulnerables a un ataque de tipo Cross-Site Request Forgery debido a la falta de protecci\u00f3n CSRF en el endpoint \"/go/api/config/backup\".\u0026#xa0;Un atacante puede enga\u00f1ar a una v\u00edctima para que haga clic en un enlace malicioso que podr\u00eda cambiar la configuraci\u00f3n de la copia de seguridad o ejecutar comandos del sistema en el campo post_backup_script."
}
],
"id": "CVE-2021-25924",
"lastModified": "2024-11-21T05:55:36.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-01T18:15:12.997",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548"
},
{
"source": "vulnerabilitylab@mend.io",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25924%2C"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-03 16:15
Modified
2025-08-01 20:03
Severity ?
Summary
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E635C706-A9AD-4E3E-8ADB-D0E39CF5ECC9",
"versionEndExcluding": "24.5.0",
"versionStartIncluding": "18.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration \"post-backup script\" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD\u0027s user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. Las versiones de GoCD 18.9.0 a 24.4.0 (incluida) pueden permitir que los administradores de GoCD abusen de la funci\u00f3n de \"script posterior a la copia de seguridad\" de la configuraci\u00f3n de copia de seguridad para ejecutar potencialmente scripts arbitrarios en el servidor o contenedor de alojamiento como usuario de GoCD, en lugar de scripts preconfigurados. En la pr\u00e1ctica, el impacto de esta vulnerabilidad es limitado, ya que en la mayor\u00eda de las configuraciones, un usuario que puede iniciar sesi\u00f3n en la interfaz de usuario de GoCD como administrador tambi\u00e9n tiene permisos de administraci\u00f3n de host para el host/contenedor en el que se ejecuta GoCD, con el fin de administrar el almacenamiento de artefactos y otras opciones de configuraci\u00f3n a nivel de servicio. Adem\u00e1s, dado que un administrador de GoCD tiene la capacidad de configurar y programar tareas de canalizaci\u00f3n en todos los agentes de GoCD disponibles para el servidor, la funcionalidad fundamental de GoCD permite la ejecuci\u00f3n coordinada de tareas similar a la de los scripts posteriores a la copia de seguridad. Sin embargo, en entornos restringidos donde la administraci\u00f3n del host est\u00e1 separada del rol de un administrador de GoCD, esto puede ser inesperado. El problema se solucion\u00f3 en GoCD 24.5.0. Los scripts posteriores a la copia de seguridad ya no se pueden ejecutar desde ciertas ubicaciones confidenciales del servidor GoCD. No se conocen workarounds."
}
],
"id": "CVE-2024-56321",
"lastModified": "2025-08-01T20:03:29.550",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-03T16:15:26.340",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.gocd.org/releases/#24-5-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-36"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-20 19:15
Modified
2024-11-21 06:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/releases/tag/22.1.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589 | Third Party Advisory | |
| security-advisories@github.com | https://www.gocd.org/releases/#22-1-0 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/releases/tag/22.1.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.gocd.org/releases/#22-1-0 | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| thoughtworks | gocd | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A51919B4-989A-4FED-A34F-DB8C1885564D",
"versionEndIncluding": "21.4.0",
"versionStartIncluding": "19.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run\u0027s Stage Details \u003e Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user\u0027s browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph\u0027s iframe. This could allow an attacker to steal a GoCD user\u0027s session cookies and/or execute malicious code in the user\u0027s context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds."
},
{
"lang": "es",
"value": "GoCD es un servidor de entrega continua. GoCD versiones 19.11.0 a 21.4.0 (inclusive), son vulnerables a un ataque de tipo cross-site scripting attack basado en el Modelo de Objetos de Documentos (DOM) por medio de la pesta\u00f1a Stage Details ) Graphs de una ejecuci\u00f3n de canalizaci\u00f3n. Es posible que un script malicioso en un sitio alojado por el atacante ejecute un script que ser\u00e1 ejecutado dentro del contexto del navegador del usuario y de la sesi\u00f3n GoCD por medio de un abuso de un canal de mensajer\u00eda usado para la comunicaci\u00f3n entre la p\u00e1gina principal y el iframe del gr\u00e1fico de detalles de la etapa. Esto podr\u00eda permitir a un atacante robar las cookies de sesi\u00f3n de un usuario de GoCD y/o ejecutar c\u00f3digo malicioso en el contexto del usuario. Este problema ha sido corregido en GoCD versi\u00f3n 22.1.0. Actualmente no se conocen mitigaciones"
}
],
"id": "CVE-2022-29182",
"lastModified": "2024-11-21T06:58:39.500",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-20T19:15:08.267",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#22-1-0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/pull/10190/commits/a256d05de1445e6c77843f098581fc6a66fe4477"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/releases/tag/22.1.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gocd/gocd/security/advisories/GHSA-qcg6-4q44-3589"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.gocd.org/releases/#22-1-0"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}