CVE-2022-29183

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-29183

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29183.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-29183

Related

GHSA-3vvq-q4qv-x2gf

Published

2022-05-20T19:15:08Z

Modified

2025-01-14T10:54:45.177170Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to /go/compare/.* prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.

References

Affected packages

Git / github.com/gocd/gocd

Affected ranges

Type: GIT
Repo: https://github.com/gocd/gocd
Events: Introduced

0cb6660ad91a19a4064e6537374c896506add24a

Fixed

f3b865c5018dec2bddf98496e0e74e8e70a80cb6

Affected versions

20.*

20.10.0

20.2.0

20.3.0

20.4.0

20.5.0

20.6.0

20.7.0

20.8.0

20.9.0

21.*

21.1.0

21.2.0

21.3.0