{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T17:00:46.946","vulnerabilities":[{"cve":{"id":"CVE-2022-39311","sourceIdentifier":"security-advisories@github.com","published":"2022-10-14T20:15:16.183","lastModified":"2024-11-21T07:18:00.563","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds."},{"lang":"es","value":"GoCD es un servidor de entrega continua. GoCD le ayuda a automatizar y agilizar el ciclo de construcción-prueba-lanzamiento para la entrega continua de su producto. Las versiones de GoCD anteriores a la 21.1.0 son vulnerables a la ejecución remota de código en el servidor desde un agente malicioso o comprometido. El endpoint de Spring RemoteInvocation exponía la comunicación con el agente y permitía la deserialización de objetos java arbitrarios, así como la posterior ejecución de código remoto. La explotación requiere autenticación a nivel de agente, por lo que un atacante necesitaría comprometer un agente existente, su comunicación de red o registrar un nuevo agente para explotar prácticamente esta vulnerabilidad. Este problema ha sido corregido en GoCD versión 21.1.0. Actualmente no se presentan mitigaciones conocidas"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*","versionEndExcluding":"21.1.0","matchCriteriaId":"AE600F59-5CB0-4E7F-B58F-16121BF8F61E"}]}]}],"references":[{"url":"https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm","source":"security-advisories@github.com","tags":["Patch","Release Notes","Third Party Advisory"]},{"url":"https://www.gocd.org/releases/#21-1-0","source":"security-advisories@github.com","tags":["Release Notes","Vendor Advisory"]},{"url":"https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Release Notes","Third Party Advisory"]},{"url":"https://www.gocd.org/releases/#21-1-0","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Vendor Advisory"]}]}}]}