RCE in Gocd
CVE-2022-29184
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code exe…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.036 (88.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Gocd — versions < 22.1.0
- Thoughtworks Gocd
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security-advisories@github.com (Third Party Advisory, x_refsource_MISC, Release Notes)
- security-advisories@github.com (x_refsource_MISC, Release Notes, Vendor Advisory)
- security-advisories@github.com (x_refsource_CONFIRM, Third Party Advisory)
- security-advisories@github.com (Patch, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-29184?
- CVE-2022-29184 is a high-severity vulnerability in Gocd, classified under Command Injection. CVSS score: 8.8/10. Published 2022-05-20.
- How severe is CVE-2022-29184?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2022-29184 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.