CVE-2022-39308

Name of the Vulnerable Software and Affected Versions GoCD versions 19.2.0 through 19.10.0

Description The issue concerns a timing attack in the validation of access tokens due to the use of regular string comparison instead of a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations and guess an access token generated by a user for API access.

Recommendations For GoCD versions 19.2.0 through 19.10.0, apply rate limiting or insert random delays to API calls made to the GoCD Server via a reverse proxy or other fronting web server as a workaround. Alternatively, disallow the use of access tokens by having an administrator revoke all access tokens through the "Access Token Management" admin function. Update to GoCD version 19.11.0 to resolve the issue.