CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28866 – GoCD vulnerable to reflected Cross-site Scripting possible on server loading page during start-up
https://notcve.org/view.php?id=CVE-2024-28866
GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation. Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context. The issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity). • https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402 https://github.com/gocd/gocd/releases/tag/24.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh https://www.gocd.org/releases/#24-1-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28629 – Stored XSS possible on VSM and Job Details pages via malicious pipeline label configuration in gocd
https://notcve.org/view.php?id=CVE-2023-28629
GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. • https://docs.gocd.org/current/configuration/pipeline_labeling.html https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193 https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce https://github.com/gocd/gocd/releases/tag/23.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm https://www.gocd.org/releases/#23-1-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28630 – Sensitive information disclosure possible on misconfigured failed backups of non-H2 databases in gocd
https://notcve.org/view.php?id=CVE-2023-28630
GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. • https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d https://github.com/gocd/gocd/releases/tag/23.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv https://www.gocd.org/releases/#23-1-0 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39311 – Compromised agents may be able to execute remote code on GoCD Server
https://notcve.org/view.php?id=CVE-2022-39311
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. • https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8 https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm https://www.gocd.org/releases/#21-1-0 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39310 – Malicious agent may be able to impersonate another agent in GoCD
https://notcve.org/view.php?id=CVE-2022-39310
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. • https://github.com/gocd/gocd/pull/8877 https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq https://www.gocd.org/releases/#21-1-0 • CWE-284: Improper Access Control •