Lucene search
+L

13 matches found

CVE
CVE
added 2022/04/14 11:52 a.m.124 views

CVE-2021-43287

CVE-2021-43287 affects ThoughtWorks GoCD prior to 21.3.0. The vulnerability is an information-disclosure flaw in the default-enabled business-continuity add-on, allowing unauthenticated attackers to leak all secrets known to the GoCD server (e.g., build secrets, encryption keys). The linked sourc...

7.5CVSS7.5AI score0.28039EPSS
In wild
CVE
CVE
added 2025/01/03 3:37 p.m.111 views

CVE-2024-56320

GoCD before 24.5.0 is vulnerable to admin privilege escalation via improper authorization of the admin “Configuration XML” UI and related API. An authenticated GoCD user with an existing account can access information intended only for admins or elevate privileges to admin, with exploitation requ...

9.4CVSS6.5AI score0.00727EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.108 views

CVE-2021-43290

ThoughtWorks GoCD before 21.3.0 is affected. An attacker who gains control of a GoCD agent can upload a malicious file into a server directory, with the file name controllable but the directory placed within an untrusted path. Affected component: GoCD server handling uploaded files; root cause: d...

9.8CVSS9.4AI score0.03169EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.94 views

CVE-2021-43288

Summary: CVE-2021-43288 affects ThoughtWorks GoCD before 21.3.0. If an attacker controls a GoCD Agent, they can inject malicious JavaScript into a failed Job Report, enabling cross‑site scripting in affected dashboards. Affected product/branch: ThoughtWorks GoCD server (versions prior to 21.3.0)....

5.4CVSS5.5AI score0.00898EPSS
CVE
CVE
added 2022/05/20 7:25 p.m.90 views

CVE-2022-29184

GoCD vulnerability (CVE-2022-29184) : In GoCD versions prior to 22.1.0, authenticated admins who can edit or create pipeline materials or configuration repositories can trigger remote code execution on the GoCD server by configuring a malicious branch name that abuses Mercurial hooks/aliases duri...

8.8CVSS9AI score0.03585EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.87 views

CVE-2021-43286

ThoughtWorks GoCD prior to 21.3.0 is affected by a command-line injection vulnerability in the Git URL “Test Connection” feature. An attacker who has privileges to create a new pipeline can exploit this to execute arbitrary code on the GoCD server. The issue is concrete in GoCD from the public ad...

8.8CVSS8.9AI score0.02715EPSS
CVE
CVE
added 2022/04/14 12:55 p.m.83 views

CVE-2021-43289

CVE-2021-43289 affects ThoughtWorks GoCD prior to 21.3.0. If an attacker compromises a GoCD agent, they can upload a malicious file into an arbitrary directory on the GoCD server, without controlling the filename. This indicates an upload path traversal risk at the server side. The issue is addre...

7.5CVSS7.5AI score0.02309EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.73 views

CVE-2022-39310

CVE-2022-39310 affects GoCD prior to 21.1.0, where an authenticated agent could impersonate another agent due to broken access control and incorrect validation of agent tokens. This could cause disclosure of credentials contained in work packages assigned to other agents. Exploitation requires kn...

6.5CVSS5.3AI score0.00615EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.71 views

CVE-2022-39309

GoCD server (versions prior to 21.1.0) leaks the symmetric key used to encrypt/decrypt secure variables in configuration to authenticated agents during material serialization. A compromised trusted agent could exfiltrate the key from memory and potentially decrypt secrets for other agents/environ...

6.5CVSS5.4AI score0.0077EPSS
CVE
CVE
added 2025/01/03 3:56 p.m.64 views

CVE-2024-56324

GoCD versions prior to 24.4.0 allow group admins to abuse the ability to edit raw XML configuration for groups, triggering an XML External Entity (XXE) injection on the GoCD server. This can potentially lead to SSRF, information disclosure, and directory traversal, though exploitation specifics a...

7.1CVSS6.5AI score0.00768EPSS
CVE
CVE
added 2022/09/07 10:55 p.m.62 views

CVE-2022-36088

GoCD Windows installations prior to 22.2.0 allow inadequate permission restrictions when installed outside the default location, potentially enabling a local attacker to modify executables or components of the GoCD server/agent installation. The issue does not affect zip-based installs, installat...

5.5CVSS4.9AI score0.00222EPSS
CVE
CVE
added 2022/10/14 12:0 a.m.61 views

CVE-2022-39311

CVE-2022-39311 affects GoCD (continuous delivery server). The vulnerability lies in the Spring RemoteInvocation endpoint, which exposed agent communication and allowed deserialization of arbitrary Java objects, enabling remote code execution on the server. Exploitation requires agent-level authen...

9.1CVSS9.1AI score0.01579EPSS
CVE
CVE
added 2023/03/27 8:36 p.m.44 views

CVE-2023-28629

GoCD (open-source CI/CD server) prior to version 23.1.0 is vulnerable to stored XSS via a malicious pipeline label configuration in the label template. When a user with pipeline-configure permissions creates a pipeline with crafted label data, the vulnerability can affect browser displays of Valu...

5.4CVSS5.2AI score0.00498EPSS