CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39309 – GoCD server secret encryption/decryption key leaked to agents during material serialization
https://notcve.org/view.php?id=CVE-2022-39309
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. • https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a https://github.com/gocd/gocd/releases/tag/21.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9 https://www.gocd.org/releases/#21-1-0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-499: Serializable Class Containing Sensitive Data CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39308 – GoCD API authentication of user access tokens subject to timing attack during comparison
https://notcve.org/view.php?id=CVE-2022-39308
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. • https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8 https://github.com/gocd/gocd/releases/tag/19.11.0 https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpq https://www.gocd.org/releases/#19-11-0 • CWE-208: Observable Timing Discrepancy CWE-697: Incorrect Comparison CWE-1254: Incorrect Comparison Logic Granularity •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36088 – GoCD Windows installations outside default location inadequately restrict installation file permissions
https://notcve.org/view.php?id=CVE-2022-36088
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. • https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6 https://github.com/gocd/gocd/releases/tag/22.2.0 https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj https://www.gocd.org/releases/#22-2-0 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29184 – Command Injection/Argument Injection in GoCD
https://notcve.org/view.php?id=CVE-2022-29184
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image. • https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb https://github.com/gocd/gocd/releases/tag/22.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h https://www.gocd.org/releases/#22-1-0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29183 – Reflected XSS in GoCD
https://notcve.org/view.php?id=CVE-2022-29183
GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function. • https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1 https://github.com/gocd/gocd/releases/tag/21.4.0 https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf https://www.gocd.org/releases/#21-4-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •