Vulnerabilities > CVE-2022-39309 - Exposure of Resource to Wrong Sphere vulnerability in Thoughtworks Gocd

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

thoughtworks

CWE-668

NVD

Published: 2022-10-14

Updated: 2022-10-21

Summary

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

Vulnerable Configurations

Part	Description	Count
Application	Thoughtworks Thoughtworks Gocd 14.2.0 Thoughtworks Gocd 14.3.0 Thoughtworks Gocd 14.4.0 Thoughtworks Gocd 15.1.0 Thoughtworks Gocd 15.2.0 Thoughtworks Gocd 15.3.0 Thoughtworks Gocd 15.3.1 Thoughtworks Gocd 16.1.0 Thoughtworks Gocd 16.2.0 Thoughtworks Gocd 16.2.1 Thoughtworks Gocd 16.3.0 Thoughtworks Gocd 16.4.0 Thoughtworks Gocd 16.5.0 Thoughtworks Gocd 16.6.0 Thoughtworks Gocd 16.7.0 Thoughtworks Gocd 16.8.0 Thoughtworks Gocd 16.9.0 Thoughtworks Gocd 16.10.0 Thoughtworks Gocd 16.11.0 Thoughtworks Gocd 16.12.0 Thoughtworks Gocd 17.1.0 Thoughtworks Gocd 17.2.0 Thoughtworks Gocd 17.3.0 Thoughtworks Gocd 17.4.0 Thoughtworks Gocd 17.5.0 Thoughtworks Gocd 17.6.0 Thoughtworks Gocd 17.7.0 Thoughtworks Gocd 17.8.0 Thoughtworks Gocd 17.9.0 Thoughtworks Gocd 17.10.0 Thoughtworks Gocd 17.11.0 Thoughtworks Gocd 17.12.0 Thoughtworks Gocd 18.1.0 Thoughtworks Gocd 18.2.0 Thoughtworks Gocd 18.3.0 Thoughtworks Gocd 18.4.0 Thoughtworks Gocd 18.5.0 Thoughtworks Gocd 18.6.0 Thoughtworks Gocd 18.7.0 Thoughtworks Gocd 18.8.0 Thoughtworks Gocd 18.9.0 Thoughtworks Gocd 18.10.0 Thoughtworks Gocd 18.11.0 Thoughtworks Gocd 18.12.0 Thoughtworks Gocd 19.1.0 Thoughtworks Gocd 19.2.0 Thoughtworks Gocd 19.3.0 Thoughtworks Gocd 19.4.0 Thoughtworks Gocd 19.5.0 Thoughtworks Gocd 19.6.0 Thoughtworks Gocd 19.7.0 Thoughtworks Gocd 19.8.0 Thoughtworks Gocd 19.9.0 Thoughtworks Gocd 19.10.0 Thoughtworks Gocd 19.11.0 Thoughtworks Gocd 19.12.0 Thoughtworks Gocd 20.1.0 Thoughtworks Gocd 20.2.0 Thoughtworks Gocd 20.3.0 Thoughtworks Gocd 20.4.0 Thoughtworks Gocd 20.5.0 Thoughtworks Gocd 20.6.0 Thoughtworks Gocd 20.7.0 Thoughtworks Gocd 20.8.0 Thoughtworks Gocd 20.9.0 Thoughtworks Gocd 20.10.0	66

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References