CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28866 – GoCD vulnerable to reflected Cross-site Scripting possible on server loading page during start-up
https://notcve.org/view.php?id=CVE-2024-28866
GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation. Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit because the target user would need to be triggered to open an attacker-crafted link in the period where the server is starting up (but not completely started), requiring chaining with a separate denial-of-service vulnerability. Additionally, GoCD server restarts invalidate earlier session tokens (i.e GoCD does not support persistent sessions), so a stolen session token would be unusable once the server has completed restart, and executed XSS would be done within a logged-out context. The issue is fixed in GoCD 24.1.0. As a workaround, it is technically possible in earlier GoCD versions to override the loading page with an earlier version which is not vulnerable, by starting GoCD with the Java system property override as either `-Dloading.page.resource.path=/loading_pages/default.loading.page.html` (simpler early version of loading page without GoCD introduction) or `-Dloading.page.resource.path=/does_not_exist.html` (to display a simple message with no interactivity). • https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402 https://github.com/gocd/gocd/releases/tag/24.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-q882-q6mm-mgvh https://www.gocd.org/releases/#24-1-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28629 – Stored XSS possible on VSM and Job Details pages via malicious pipeline label configuration in gocd
https://notcve.org/view.php?id=CVE-2023-28629
GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs of the affected pipeline, potentially allowing them to perform arbitrary actions within the victim's browser context rather than their own. This issue has been fixed in GoCD 23.1.0. Users are advised to upgrade. • https://docs.gocd.org/current/configuration/pipeline_labeling.html https://github.com/gocd/gocd/commit/95f758229d419411a38577608709d8552cccf193 https://github.com/gocd/gocd/commit/c6aa644973b034305bbe9ea34b010dcf5b5790ce https://github.com/gocd/gocd/releases/tag/23.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-3vvg-gjfr-q9vm https://www.gocd.org/releases/#23-1-0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28630 – Sensitive information disclosure possible on misconfigured failed backups of non-H2 databases in gocd
https://notcve.org/view.php?id=CVE-2023-28630
GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. • https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d https://github.com/gocd/gocd/releases/tag/23.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv https://www.gocd.org/releases/#23-1-0 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36088 – GoCD Windows installations outside default location inadequately restrict installation file permissions
https://notcve.org/view.php?id=CVE-2022-36088
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. • https://github.com/gocd/gocd/commit/96add9605096ab50c5cd4c229be1d503aff506a6 https://github.com/gocd/gocd/releases/tag/22.2.0 https://github.com/gocd/gocd/security/advisories/GHSA-gpv4-xqhc-5vcj https://www.gocd.org/releases/#22-2-0 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29184 – Command Injection/Argument Injection in GoCD
https://notcve.org/view.php?id=CVE-2022-29184
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image. • https://github.com/gocd/gocd/commit/37d35115db2ada2190173f9413cfe1bc6c295ecb https://github.com/gocd/gocd/releases/tag/22.1.0 https://github.com/gocd/gocd/security/advisories/GHSA-vf5r-r7j2-cf2h https://www.gocd.org/releases/#22-1-0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •