CVE-2022-29184

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 22.1.0

Description GoCD is a continuous delivery server. In versions prior to 22.1.0, existing authenticated users with permissions to edit or create pipeline materials or pipeline configuration repositories can get remote code execution capability on the GoCD server via configuring a malicious branch name, which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (hg-based) configuration repositories, create/edit pipelines and their (hg-based) materials, or commit malicious configuration to an external repository.

Recommendations For GoCD versions prior to 22.1.0, update to version 22.1.0 to resolve the issue. As a temporary workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the hg/Mercurial binary from the underlying GoCD Server operating system or Docker image.