CVE-2022-36088

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 22.2.0

Description GoCD is a continuous delivery server. The issue arises from inadequate permission restrictions during Windows installations of GoCD server or agent installers outside of the default location. This could allow a malicious user with local access to modify executables or components of the installation. The issue does not affect zip file-based installs, installations to other platforms, or installations inside Program Files or Program Files (x86).

Recommendations For versions prior to 22.2.0, update to GoCD 22.2.0 or later to resolve the issue. As a temporary workaround, if the server or agent is installed outside of Program Files (x86), verify the permissions of the Server or Agent installation directory to ensure the Everyone user group does not have Full Control, Modify, or Write permissions.