Cyber Resilience

CVE-2022-29184

HighRCE

Published: 20 May 2022

Published
20 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0529 90.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29184 is a high-severity Command Injection (CWE-77) vulnerability in Thoughtworks Gocd. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GoCD, an open-source continuous delivery server, contains a command-injection vulnerability in all versions prior to 22.1.0. The flaw resides in the handling of Mercurial-based pipeline materials and configuration repositories; an authenticated user who can supply a branch name can abuse Mercurial hook and alias mechanisms to execute arbitrary commands on the server host.

Exploitation requires an account that already possesses GoCD administrative rights sufficient to create or modify pipelines or configuration repositories that use Mercurial. With such access an attacker can achieve remote code execution, obtaining full control over the GoCD server process and any data or credentials it manages. The attack can also be triggered indirectly when pipelines-as-code definitions stored in an external Mercurial repository are automatically parsed by the server.

The official GoCD advisory and release notes for version 22.1.0 state that the issue is resolved by upgrading to that release. As a workaround, administrators who do not rely on Mercurial materials may remove the hg binary from the underlying operating system or Docker image.

The associated EPSS score has remained flat at 0.0529 with no material increase after disclosure.

EU & UK References

Vulnerability details

GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the…

more

GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thoughtworks
gocd
≤ 22.1.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References