Gocd
CVE-2022-39310
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.
AnalysisAI
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-284. GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds. Affected products include: Thoughtworks Gocd. Version information: prior to 21.1.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action
GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/
GoCD is an open source a continuous delivery server. Rated medium severity (CVSS 6.8), this vulnerability is remotely ex
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a
GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a
GoCD is a continuous delivery server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no a
GoCD is a continuous delivery server. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Thi
GoCD is an open source continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely expl
GoCD is a continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no a
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today