CVE-2022-39310 — MEDIUM (4.9)

Q: How severe is CVE-2022-39310?

CVE-2022-39310 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39310?

Check the references section above for vendor advisories and patch information. Affected products include: Thoughtworks Gocd.

Vulnerability Description

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specific agent environment, this can cause accidental information disclosure. Exploitation requires knowledge of agent identifiers and ability to authenticate as an existing agent with the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

CVSS Score

4.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Thoughtworks	Gocd	< 21.1.0

Related Weaknesses (CWE)

CWE-284

References

https://github.com/gocd/gocd/pull/8877PatchThird Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcqPatchRelease NotesThird Party Advisory
https://www.gocd.org/releases/#21-1-0Release NotesVendor Advisory
https://github.com/gocd/gocd/pull/8877PatchThird Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-4fp5-33jh-hgcqPatchRelease NotesThird Party Advisory
https://www.gocd.org/releases/#21-1-0Release NotesVendor Advisory

FAQ

What is CVE-2022-39310?

CVE-2022-39310 is a vulnerability with a CVSS score of 4.9 (MEDIUM). GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authentic...

How severe is CVE-2022-39310?

CVE-2022-39310 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39310?

Check the references section above for vendor advisories and patch information. Affected products include: Thoughtworks Gocd.