CVE-2022-39309 : GoCD is a continuous delivery server. GoCD helps you automate and streamline the

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

Published 2022-10-14 20:15:16

Updated 2022-10-21 20:24:11

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2022-39309

Thoughtworks » Gocd
Versions before (<) 21.1.0
cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-39309

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 40 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39309

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	1.2	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2022-39309

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Secondary)
CWE-499 Serializable Class Containing Sensitive Data

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.

Assigned by: security-advisories@github.com (Secondary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-39309

https://github.com/gocd/gocd/releases/tag/21.1.0

Release GoCD 21.1.0 · gocd/gocd · GitHub
Release Notes;Third Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-f9qg-xcxq-cgv9

Server secret encryption/decryption key accidentally leaked to agents during material serialization · Advisory · gocd/gocd · GitHub
Patch;Release Notes;Third Party Advisory
https://www.gocd.org/releases/#21-1-0

Releases - Version notes | GoCD
Release Notes;Vendor Advisory

CVEs referencing this url
https://github.com/gocd/gocd/commit/691b479f1310034992da141760e9c5d1f5b60e8a

SCMMaterial changes #000 · gocd/gocd@691b479 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39309

Products affected by CVE-2022-39309

Exploit prediction scoring system (EPSS) score for CVE-2022-39309

CVSS scores for CVE-2022-39309

CWE ids for CVE-2022-39309

References for CVE-2022-39309