CVE-2022-29183

Name of the Vulnerable Software and Affected Versions GoCD versions 20.2.0 through 21.4.0

Description GoCD is a continuous delivery server. The issue concerns reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code, which would allow the attacker to operate on, or gain control over the same resources as the victim had access to.

Recommendations For GoCD versions 20.2.0 through 21.4.0, update to GoCD 21.4.0 to resolve the issue. As a temporary workaround, consider blocking access to "/go/compare/.*" prior to the GoCD Server via a reverse proxy, web application firewall, or equivalent, to prevent use of the pipeline comparison function.