CRITICAL🇵🇱 Wersja polska

CVE-2022-39311

CVSS 9.1v3.1pub. 2022-10-14upd. 2024-11-21

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Thoughtworks Gocd

    APP
    Thoughtworks
    < 21.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2024-56320CRITICAL9.4PL ✓ten sam produkt

GoCD — eskalacja uprawnień do poziomu administratora (privilege escalation)

CVE-2021-43290CRITICAL9.8ten sam produkt

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can u...

CVE-2021-44659CRITICAL9.8ten sam produkt

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-inten...

CVE-2022-29184HIGH8.8ten sam produkt

GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authentica...

CVE-2021-43287HIGH7.5ten sam produkt

An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled b...