CVE-2022-29183

MEDIUM

GoCD 20.2.0-21.4.0 - Reflected Cross-Site Scripting via Pipeline Comparison Error Handling

Title source: llm
STIX 2.1

Description

GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.

References (4)

Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/gocd/gocd/releases/tag/21.4.0
Release Notes, Vendor Advisory x_refsource_misc
https://www.gocd.org/releases/#21-4-0

Scores

CVSS v3 4.3
EPSS 0.0080
EPSS Percentile 52.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
thoughtworks/gocd 20.2.0 - 21.4.0
Published May 20, 2022
Tracked Since Feb 18, 2026