CVE-2022-24832

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 22.1.0

Description The issue affects the gocd-ldap-authentication-plugin bundled with the GoCD Server, which fails to correctly escape special characters when using the username to construct LDAP queries. This allows an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, enabling them to deduce facts about other users or entries within the LDAP database through brute force mechanisms. The issue only affects users with a working LDAP authorization configuration enabled on their GoCD server and is exploitable by users authenticating using such an LDAP configuration.

Recommendations For versions prior to 22.1.0, update to GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144, to resolve the issue. As a temporary workaround, consider restricting access to the LDAP authentication configuration to minimize the risk of exploitation.