Lucene search
K
ThoughtworksGocd

23 matches found

CVE
CVE
added 2022/04/14 11:52 a.m.124 views

CVE-2021-43287

CVE-2021-43287 affects ThoughtWorks GoCD prior to 21.3.0. The vulnerability is an information-disclosure flaw in the default-enabled business-continuity add-on, allowing unauthenticated attackers to leak all secrets known to the GoCD server (e.g., build secrets, encryption keys). The linked sourc...

7.5CVSS7.5AI score0.28039EPSS
In wild
CVE
CVE
added 2025/01/03 3:37 p.m.108 views

CVE-2024-56320

GoCD before 24.5.0 is vulnerable to admin privilege escalation via improper authorization of the admin “Configuration XML” UI and related API. An authenticated GoCD user with an existing account can access information intended only for admins or elevate privileges to admin, with exploitation requ...

9.4CVSS6.5AI score0.00727EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.105 views

CVE-2021-43290

ThoughtWorks GoCD before 21.3.0 is affected. An attacker who gains control of a GoCD agent can upload a malicious file into a server directory, with the file name controllable but the directory placed within an untrusted path. Affected component: GoCD server handling uploaded files; root cause: d...

9.8CVSS9.4AI score0.03169EPSS
CVE
CVE
added 2022/04/11 8:20 p.m.100 views

CVE-2022-24832

The CVE-2022-24832 issue affects GoCD where the bundled gocd-ldap-authentication-plugin does not properly escape special characters in LDAP usernames when constructing LDAP queries. This can enable an LDAP-authenticated GoCD user to craft and execute malicious queries to infer facts about other L...

8.2CVSS7.1AI score0.01629EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.88 views

CVE-2021-43288

Summary: CVE-2021-43288 affects ThoughtWorks GoCD before 21.3.0. If an attacker controls a GoCD Agent, they can inject malicious JavaScript into a failed Job Report, enabling cross‑site scripting in affected dashboards. Affected product/branch: ThoughtWorks GoCD server (versions prior to 21.3.0)....

5.4CVSS5.5AI score0.00898EPSS
CVE
CVE
added 2022/05/20 7:25 p.m.88 views

CVE-2022-29184

GoCD vulnerability (CVE-2022-29184) : In GoCD versions prior to 22.1.0, authenticated admins who can edit or create pipeline materials or configuration repositories can trigger remote code execution on the GoCD server by configuring a malicious branch name that abuses Mercurial hooks/aliases duri...

8.8CVSS9AI score0.03637EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.86 views

CVE-2021-43286

ThoughtWorks GoCD prior to 21.3.0 is affected by a command-line injection vulnerability in the Git URL “Test Connection” feature. An attacker who has privileges to create a new pipeline can exploit this to execute arbitrary code on the GoCD server. The issue is concrete in GoCD from the public ad...

8.8CVSS8.9AI score0.02715EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.82 views

CVE-2021-43289

CVE-2021-43289 affects ThoughtWorks GoCD prior to 21.3.0. If an attacker compromises a GoCD agent, they can upload a malicious file into an arbitrary directory on the GoCD server, without controlling the filename. This indicates an upload path traversal risk at the server side. The issue is addre...

7.5CVSS7.5AI score0.02309EPSS
CVE
CVE
added 2022/05/20 7:5 p.m.77 views

CVE-2022-29182

GoCD versions 19.11.0–21.4.0 are vulnerable to a DOM-based XSS in the Stage Details > Graphs tab. An attacker-hosted page can abuse the messaging channel between the parent page and the stage-graphs iframe to execute script in the user’s browser context, potentially exfiltrating session cookie...

5.4CVSS4.7AI score0.00782EPSS
CVE
CVE
added 2022/05/20 7:10 p.m.70 views

CVE-2022-29183

CVE-2022-29183 affects ThoughtWorks GoCD (versions 20.2.0–21.4.0). A reflected cross-site scripting vulnerability stems from the pipeline comparison function’s error handling, allowing an attacker to render arbitrary HTML in the returned page and potentially manipulate resources accessible to the...

6.1CVSS5.2AI score0.00797EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.70 views

CVE-2022-39310

CVE-2022-39310 affects GoCD prior to 21.1.0, where an authenticated agent could impersonate another agent due to broken access control and incorrect validation of agent tokens. This could cause disclosure of credentials contained in work packages assigned to other agents. Exploitation requires kn...

6.5CVSS5.3AI score0.00615EPSS
CVE
CVE
added 2021/12/22 5:27 p.m.69 views

CVE-2021-44659

GoCD server version 21.3.0 contains a possible Server Side Request Forgery (SSRF) when adding a new pipeline. The issue stems from how outbound requests are handled/validated, with multiple connected sources attributing the vulnerability to inadequate input validation and configuration of outboun...

9.8CVSS9.3AI score0.02523EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.68 views

CVE-2022-39308

GoCD versions 19.2.0–19.10.0 are vulnerable to a timing-attack in access token validation due to non–constant-time string comparison, potentially enabling brute-forcing of API tokens. The issue is fixed in GoCD 19.11.0. Workarounds include rate limiting or introducing random delays at the GoCD se...

6.5CVSS5.8AI score0.00622EPSS
CVE
CVE
added 2022/09/07 10:55 p.m.60 views

CVE-2022-36088

GoCD Windows installations prior to 22.2.0 allow inadequate permission restrictions when installed outside the default location, potentially enabling a local attacker to modify executables or components of the GoCD server/agent installation. The issue does not affect zip-based installs, installat...

5.5CVSS4.9AI score0.00222EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.60 views

CVE-2022-39309

GoCD server (versions prior to 21.1.0) leaks the symmetric key used to encrypt/decrypt secure variables in configuration to authenticated agents during material serialization. A compromised trusted agent could exfiltrate the key from memory and potentially decrypt secrets for other agents/environ...

6.5CVSS5.4AI score0.0077EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.58 views

CVE-2022-39311

CVE-2022-39311 affects GoCD (continuous delivery server). The vulnerability lies in the Spring RemoteInvocation endpoint, which exposed agent communication and allowed deserialization of arbitrary Java objects, enabling remote code execution on the server. Exploitation requires agent-level authen...

9.1CVSS9.1AI score0.01579EPSS
CVE
CVE
added 2025/01/03 3:56 p.m.58 views

CVE-2024-56324

GoCD versions prior to 24.4.0 allow group admins to abuse the ability to edit raw XML configuration for groups, triggering an XML External Entity (XXE) injection on the GoCD server. This can potentially lead to SSRF, information disclosure, and directory traversal, though exploitation specifics a...

7.1CVSS6.5AI score0.00768EPSS
Web
CVE
CVE
added 2024/05/13 1:53 p.m.53 views

CVE-2024-28866

CVE-2024-28866 (GoCD) affects GoCD versions 19.4.0–23.5.0 with a reflected XSS on the startup loading page via an inadequately validated redirect_to query parameter. An attacker could lure a user to open a crafted link during startup (when the server is starting but not fully started); the attack...

6.1CVSS5.2AI score0.00419EPSS
CVE
CVE
added 2021/04/01 5:58 p.m.51 views

CVE-2021-25924

GoCD versions 19.6.0–21.1.0 are vulnerable to CSRF due to missing protection on the /go/api/config/backup endpoint. An attacker can lure a victim to a malicious link, potentially altering backup configurations or executing commands in the post_backup_script field. The provided sources describe th...

9.3CVSS8.8AI score0.00751EPSS
Web
CVE
CVE
added 2025/01/03 3:41 p.m.50 views

CVE-2024-56321

CVE-2024-56321 (GoCD) affects GoCD 18.9.0–24.4.0. The issue allows admins to abuse the backup configuration “post-backup script” to run arbitrary scripts on the hosting server/container as the GoCD user. In practice, impact is limited since an admin typically has host permissions, but in restrict...

3.8CVSS4.6AI score0.00546EPSS
CVE
CVE
added 2025/01/03 3:49 p.m.50 views

CVE-2024-56322

CVE-2024-56322 affects GoCD (versions 16.7.0 through 24.4.0). The root cause is an abuse of a hidden/unused configuration repository (pipelines as code) feature that enables XML External Entity (XXE) injection on the GoCD Server. This injection is triggered when GoCD scans configuration repositor...

7.2CVSS7AI score0.00689EPSS
CVE
CVE
added 2023/03/27 8:33 p.m.49 views

CVE-2023-28630

CVE-2023-28630 affects GoCD versions 20.5.0 through 23.1.0. When backups are enabled but the server cannot access the required backup binaries (pg_dump for PostgreSQL or mysqldump for MySQL), a failure to launch the backup utility can leak the plaintext database password in admin alerts. The flaw...

4.4CVSS4.6AI score0.00254EPSS
CVE
CVE
added 2023/03/27 8:36 p.m.42 views

CVE-2023-28629

GoCD (open-source CI/CD server) prior to version 23.1.0 is vulnerable to stored XSS via a malicious pipeline label configuration in the label template. When a user with pipeline-configure permissions creates a pipeline with crafted label data, the vulnerability can affect browser displays of Valu...

5.4CVSS5.2AI score0.00498EPSS