CVE-2022-39311

14.10.2022, 20:15

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.1 CRITICAL	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
GitHub_M	CNA	9.1 CRITICAL	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 85%

Vendor	Product	Version
thoughtworks	gocd	𝑥 < 21.1.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8

https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm

https://www.gocd.org/releases/#21-1-0

https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8

https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm

https://www.gocd.org/releases/#21-1-0