Lucene search

K
cve[email protected]CVE-2023-28630
HistoryMar 27, 2023 - 9:15 p.m.

CVE-2023-28630

2023-03-2721:15:12
CWE-532
web.nvd.nist.gov
16
gocd
cve-2023-28630
database access
postgresql
mysql
backup tools
credentials leakage
vulnerability
security update

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the pg_dump or mysqldump utility tools to backup the configured database type (PostgreSQL or MySQL respectively). In such cases, failure to launch the expected backup utility reports the shell environment used to attempt to launch in the server admin alert, which includes the plaintext database password supplied to the configured tool. This vulnerability does not affect backups of the default on-disk H2 database that GoCD is configured to use. This issue has been addressed and fixed in GoCD 23.1.0. Users are advised to upgrade. Users unable to upgrade may disable backups, or administrators should ensure that the required pg_dump (PostgreSQL) or mysqldump (MySQL) binaries are available on the GoCD server when backups are triggered.

Affected configurations

Vulners
NVD
Node
gocdgocdRange20.5.023.1.0

CNA Affected

[
  {
    "vendor": "gocd",
    "product": "gocd",
    "versions": [
      {
        "version": ">= 20.5.0, < 23.1.0",
        "status": "affected"
      }
    ]
  }
]

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

Related for CVE-2023-28630