Gocd
CVE-2022-29183
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to /go/compare/.* prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.
AnalysisAI
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to /go/compare/.* prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function. Affected products include: Thoughtworks Gocd.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action
GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/
GoCD is an open source a continuous delivery server. Rated medium severity (CVSS 6.8), this vulnerability is remotely ex
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a
GoCD is a continuous delivery server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no a
GoCD is a continuous delivery server. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Thi
GoCD is an open source continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely expl
GoCD is a continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today