227 matches found
CVE-2021-43287
An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers...
CVE-2021-43288
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report...
CVE-2021-25924
In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the /go/api/config/backup endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the...
Pre-Auth Takeover of Build Pipelines in GoCD (CVE-2021-43287)
Please see https://blog.sonarsource.com/gocd-pre-auth-pipeline-takeover. Recent assessments: wvu-r7 at November 03, 2021 9:13pm UTC reported: This assessment has moved to the Rapid7 analysis. Thank you. Assessed Attacker Value: 5 Assessed Attacker Value: 5Assessed Attacker Value: 5...
CVE-2022-29184
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a...
CVE-2022-24832
GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it ca...
CVE-2022-39311
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation...
The vulnerability of the server for the Continuous Integration and Delivery system (CI/CD) of GoCD arises from incorrect restrictions on XML references to external objects. This allows attackers to perform XXE attacks.
The vulnerability of the CI/CD server of GoCD is related to an incorrect restriction on XML references to external objects. Exploiting this vulnerability allows a malicious actor to perform XXE attacks remotely...
The vulnerability of the server for the Continuous Integration and Delivery system (CI/CD) of GoCD arises from incorrect restrictions on XML references to external objects. This allows attackers to perform XXE attacks.
The vulnerability of the CI/CD server of GoCD is related to an incorrect restriction on XML references to external objects. Exploiting this vulnerability allows a malicious actor to perform XXE attacks remotely...
CVE-2024-56322
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 inclusive can allow GoCD admins to abuse a hidden/unused configuration repository pipelines as code feature to allow XML External Entity XXE injection on the GoCD Server which will be executed when GoCD periodically scans...
CVE-2024-56321
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 inclusive can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. I...
CVE-2024-56324
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity XXE injection on the GoCD server. Theoretically, the XXE vulnerability can result in...
CVE-2024-56320
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD...
CVE-2024-56324 GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity XXE injection on the GoCD server. Theoretically, the XXE vulnerability can result in...
CVE-2024-56324 GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity XXE injection on the GoCD server. Theoretically, the XXE vulnerability can result in...
CVE-2024-56324 GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity XXE injection on the GoCD server. Theoretically, the XXE vulnerability can result in...
CVE-2024-56324
GoCD versions prior to 24.4.0 allow group admins to abuse the ability to edit raw XML configuration for groups, triggering an XML External Entity (XXE) injection on the GoCD server. This can potentially lead to SSRF, information disclosure, and directory traversal, though exploitation specifics a...
CVE-2024-56322
CVE-2024-56322 affects GoCD (versions 16.7.0 through 24.4.0). The root cause is an abuse of a hidden/unused configuration repository (pipelines as code) feature that enables XML External Entity (XXE) injection on the GoCD Server. This injection is triggered when GoCD scans configuration repositor...
CVE-2024-56322 GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 inclusive can allow GoCD admins to abuse a hidden/unused configuration repository pipelines as code feature to allow XML External Entity XXE injection on the GoCD Server which will be executed when GoCD periodically scans...
CVE-2024-56322 GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 inclusive can allow GoCD admins to abuse a hidden/unused configuration repository pipelines as code feature to allow XML External Entity XXE injection on the GoCD Server which will be executed when GoCD periodically scans...