CVE-2022-39309 — MEDIUM (4.9)

Q: How severe is CVE-2022-39309?

CVE-2022-39309 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39309?

Check the references section above for vendor advisories and patch information. Affected products include: Thoughtworks Gocd.

Vulnerability Description

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

CVSS Score

4.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Thoughtworks	Gocd	< 21.1.0

Related Weaknesses (CWE)

CWE-499 CWE-668 CWE-200

References

https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8aPatchThird Party Advisory
https://github.com/gocd/gocd/releases/tag/21.1.0Release NotesThird Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9PatchRelease NotesThird Party Advisory
https://www.gocd.org/releases/#21-1-0Release NotesVendor Advisory
https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8aPatchThird Party Advisory
https://github.com/gocd/gocd/releases/tag/21.1.0Release NotesThird Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9PatchRelease NotesThird Party Advisory
https://www.gocd.org/releases/#21-1-0Release NotesVendor Advisory

FAQ

What is CVE-2022-39309?

CVE-2022-39309 is a vulnerability with a CVSS score of 4.9 (MEDIUM). GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key ...

How severe is CVE-2022-39309?

CVE-2022-39309 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39309?

Check the references section above for vendor advisories and patch information. Affected products include: Thoughtworks Gocd.