This page lists publicly disclosed CVE vulnerabilities affecting thoughtworks gocd (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-56324 | GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fi | [email protected] | 2.1 | 0.10% | 2025-01-03 | 2025-08-01 |
| CVE-2024-56322 | GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining wit | [email protected] | 2.1 | 0.57% | 2025-01-03 | 2025-08-01 |
| CVE-2024-56321 | GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that Go | [email protected] | 3.8 | 1.29% | 2025-01-03 | 2025-08-01 |
| CVE-2024-56320 | GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this | [email protected] | 9.4 | 1.59% | 2025-01-03 | 2025-08-01 |
| CVE-2024-28866 | GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation. Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to | [email protected] | 3.1 | 0.99% | 2024-05-14 | 2025-08-04 |
| CVE-2023-28630 | GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysq | [email protected] | 4.2 | 0.09% | 2023-03-27 | 2024-11-21 |
| CVE-2023-28629 | GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Detai | [email protected] | 5.4 | 0.52% | 2023-03-27 | 2024-11-21 |
| CVE-2022-39311 | GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacke | [email protected] | 9.1 | 9.47% | 2022-10-14 | 2024-11-21 |
| CVE-2022-39310 | GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running again | [email protected] | 4.9 | 0.30% | 2022-10-14 | 2024-11-21 |
| CVE-2022-39309 | GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obt | [email protected] | 4.9 | 0.36% | 2022-10-14 | 2024-11-21 |
| CVE-2022-39308 | GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access | [email protected] | 6.5 | 0.41% | 2022-10-14 | 2024-11-21 |
| CVE-2022-36088 | GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or ` | [email protected] | 5.0 | 0.04% | 2022-09-07 | 2024-11-21 |
| CVE-2022-29184 | GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either cre | [email protected] | 8.8 | 5.29% | 2022-05-20 | 2024-11-21 |
| CVE-2022-29183 | GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` | [email protected] | 4.3 | 0.46% | 2022-05-20 | 2024-11-21 |
| CVE-2022-29182 | GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could a | [email protected] | 4.3 | 0.50% | 2022-05-20 | 2024-11-21 |
| CVE-2021-43290 | An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into a directory of a GoCD server. They can control the filename but the directory is placed inside of a directory that they can't control. | [email protected] | 9.8 | 3.66% | 2022-04-14 | 2024-11-21 |
| CVE-2021-43289 | An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker who has compromised a GoCD agent can upload a malicious file into an arbitrary directory of a GoCD server, but does not control the filename. | [email protected] | 7.5 | 1.56% | 2022-04-14 | 2024-11-21 |
| CVE-2021-43288 | An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker in control of a GoCD Agent can plant malicious JavaScript into a failed Job Report. | [email protected] | 5.4 | 0.50% | 2022-04-14 | 2024-11-21 |
| CVE-2021-43286 | An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code. | [email protected] | 8.8 | 1.64% | 2022-04-14 | 2024-11-21 |
| CVE-2021-43287 | An issue was discovered in ThoughtWorks GoCD before 21.3.0. The business continuity add-on, which is enabled by default, leaks all secrets known to the GoCD server to unauthenticated attackers. | [email protected] | 7.5 | 79.18% | 2022-04-14 | 2024-11-21 |