13 matches found
CVE-2021-43287
CVE-2021-43287 affects ThoughtWorks GoCD prior to 21.3.0. The vulnerability is an information-disclosure flaw in the default-enabled business-continuity add-on, allowing unauthenticated attackers to leak all secrets known to the GoCD server (e.g., build secrets, encryption keys). The linked sourc...
CVE-2024-56320
GoCD before 24.5.0 is vulnerable to admin privilege escalation via improper authorization of the admin “Configuration XML” UI and related API. An authenticated GoCD user with an existing account can access information intended only for admins or elevate privileges to admin, with exploitation requ...
CVE-2021-43290
ThoughtWorks GoCD before 21.3.0 is affected. An attacker who gains control of a GoCD agent can upload a malicious file into a server directory, with the file name controllable but the directory placed within an untrusted path. Affected component: GoCD server handling uploaded files; root cause: d...
CVE-2021-43288
Summary: CVE-2021-43288 affects ThoughtWorks GoCD before 21.3.0. If an attacker controls a GoCD Agent, they can inject malicious JavaScript into a failed Job Report, enabling cross‑site scripting in affected dashboards. Affected product/branch: ThoughtWorks GoCD server (versions prior to 21.3.0)....
CVE-2022-29184
GoCD vulnerability (CVE-2022-29184) : In GoCD versions prior to 22.1.0, authenticated admins who can edit or create pipeline materials or configuration repositories can trigger remote code execution on the GoCD server by configuring a malicious branch name that abuses Mercurial hooks/aliases duri...
CVE-2021-43286
ThoughtWorks GoCD prior to 21.3.0 is affected by a command-line injection vulnerability in the Git URL “Test Connection” feature. An attacker who has privileges to create a new pipeline can exploit this to execute arbitrary code on the GoCD server. The issue is concrete in GoCD from the public ad...
CVE-2021-43289
CVE-2021-43289 affects ThoughtWorks GoCD prior to 21.3.0. If an attacker compromises a GoCD agent, they can upload a malicious file into an arbitrary directory on the GoCD server, without controlling the filename. This indicates an upload path traversal risk at the server side. The issue is addre...
CVE-2022-39310
CVE-2022-39310 affects GoCD prior to 21.1.0, where an authenticated agent could impersonate another agent due to broken access control and incorrect validation of agent tokens. This could cause disclosure of credentials contained in work packages assigned to other agents. Exploitation requires kn...
CVE-2022-39309
GoCD server (versions prior to 21.1.0) leaks the symmetric key used to encrypt/decrypt secure variables in configuration to authenticated agents during material serialization. A compromised trusted agent could exfiltrate the key from memory and potentially decrypt secrets for other agents/environ...
CVE-2024-56324
GoCD versions prior to 24.4.0 allow group admins to abuse the ability to edit raw XML configuration for groups, triggering an XML External Entity (XXE) injection on the GoCD server. This can potentially lead to SSRF, information disclosure, and directory traversal, though exploitation specifics a...
CVE-2022-36088
GoCD Windows installations prior to 22.2.0 allow inadequate permission restrictions when installed outside the default location, potentially enabling a local attacker to modify executables or components of the GoCD server/agent installation. The issue does not affect zip-based installs, installat...
CVE-2022-39311
CVE-2022-39311 affects GoCD (continuous delivery server). The vulnerability lies in the Spring RemoteInvocation endpoint, which exposed agent communication and allowed deserialization of arbitrary Java objects, enabling remote code execution on the server. Exploitation requires agent-level authen...
CVE-2023-28629
GoCD (open-source CI/CD server) prior to version 23.1.0 is vulnerable to stored XSS via a malicious pipeline label configuration in the label template. When a user with pipeline-configure permissions creates a pipeline with crafted label data, the vulnerability can affect browser displays of Valu...