Lucene search

K
cve[email protected]CVE-2022-36088
HistorySep 07, 2022 - 11:15 p.m.

CVE-2022-36088

2022-09-0723:15:14
CWE-284
CWE-269
web.nvd.nist.gov
19
gocd
cve-2022-36088
windows
security
permissions
nvd

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

5.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside Program Files or Program Files (x86). This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of Program Files (x86), verify the the permission of the Server or Agent installation directory to ensure the Everyone user group does not have Full Control, Modify or Write permissions.

Affected configurations

Vulners
NVD
Node
gocdgocdRange<22.2.0

CNA Affected

[
  {
    "product": "gocd",
    "vendor": "gocd",
    "versions": [
      {
        "status": "affected",
        "version": "< 22.2.0"
      }
    ]
  }
]

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

5.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

Related for CVE-2022-36088