CVE-2023-28630

Name of the Vulnerable Software and Affected Versions GoCD versions 20.5.0 through 23.1.0

Description The issue arises when the server environment is not correctly configured to provide access to the relevant PostgreSQL or MySQL backup tools, potentially leaking database access credentials to admin alerts on the GoCD user interface. This occurs if the GoCD server host is misconfigured to have backups enabled but lacks access to the pg dump or mysqldump utility tools for the configured database type. The vulnerability does not affect backups of the default on-disk H2 database.

Recommendations For GoCD versions 20.5.0 through 23.1.0, upgrade to GoCD 23.1.0 to resolve the issue. For users unable to upgrade, consider disabling backups as a temporary workaround. Alternatively, ensure that the required pg dump (PostgreSQL) or mysqldump (MySQL) binaries are available on the GoCD server when backups are triggered.