CVE-2022-39310

Malicious agent may be able to impersonate another agent in GoCD

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

GoCD es un servidor de entrega continua. GoCD le ayuda a automatizar y agilizar el ciclo de construcción-prueba-lanzamiento para la entrega continua de su producto. Las versiones de GoCD anteriores a 21.1.0 pueden permitir a un agente autenticado hacerse pasar por otro agente y, por lo tanto, reciba paquetes de trabajo para otros agentes debido a un control de acceso roto y a una comprobación incorrecta de los tokens de los agentes dentro del servidor de GoCD. Dado que los paquetes de trabajo pueden contener información confidencial, como credenciales destinadas únicamente a un trabajo determinado que es ejecutado en un entorno de agente específico, esto puede causar la divulgación accidental de información. La explotación requiere el conocimiento de los identificadores del agente y la capacidad de autenticarse como un agente existente con el servidor GoCD. Este problema ha sido corregido en GoCD versión 21.1.0. Actualmente no se presentan mitigaciones conocidas

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-14 CVE Published
2024-05-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/gocd/gocd/pull/8877	2022-10-19
https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcq	2022-10-19

URL	Date	SRC
https://www.gocd.org/releases/#21-1-0	2022-10-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Thoughtworks Search vendor "Thoughtworks"		Gocd Search vendor "Thoughtworks" for product "Gocd"				< 21.1.0 Search vendor "Thoughtworks" for product "Gocd" and version " < 21.1.0"		-		Affected