CVE-2022-39311

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 21.1.0

Description GoCD is a continuous delivery server that automates and streamlines the build-test-release cycle for continuous delivery of a product. The issue allows remote code execution on the server from a malicious or compromised agent due to the exposure of the Spring RemoteInvocation endpoint, which enables deserialization of arbitrary Java objects. Exploitation requires agent-level authentication, meaning an attacker would need to compromise an existing agent, its network communication, or register a new agent to exploit this issue.

Recommendations For versions prior to 21.1.0, update to GoCD version 21.1.0 to resolve the issue. As a temporary workaround, consider restricting agent registrations and monitoring agent communications to minimize the risk of exploitation. Avoid using the Spring RemoteInvocation endpoint until the issue is resolved.