QwikSec

Security Database

CVE

CWE

Training

CVE-2022-29183

Published: May 20, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.

Vendor	Product	Versions
gocd	gocd	affected `>= 20.2.0, < 21.4.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gf

x_refsource_CONFIRM

https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1

x_refsource_MISC

https://github.com/gocd/gocd/releases/tag/21.4.0

x_refsource_MISC

https://www.gocd.org/releases/#21-4-0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.