CVE-2022-29184
Published: 20 May 2022
Summary
CVE-2022-29184 is a high-severity Command Injection (CWE-77) vulnerability in Thoughtworks Gocd. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GoCD, an open-source continuous delivery server, contains a command-injection vulnerability in all versions prior to 22.1.0. The flaw resides in the handling of Mercurial-based pipeline materials and configuration repositories; an authenticated user who can supply a branch name can abuse Mercurial hook and alias mechanisms to execute arbitrary commands on the server host.
Exploitation requires an account that already possesses GoCD administrative rights sufficient to create or modify pipelines or configuration repositories that use Mercurial. With such access an attacker can achieve remote code execution, obtaining full control over the GoCD server process and any data or credentials it manages. The attack can also be triggered indirectly when pipelines-as-code definitions stored in an external Mercurial repository are automatically parsed by the server.
The official GoCD advisory and release notes for version 22.1.0 state that the issue is resolved by upgrading to that release. As a workaround, administrators who do not rely on Mercurial materials may remove the hg binary from the underlying operating system or Docker image.
The associated EPSS score has remained flat at 0.0529 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33579
Vulnerability details
GoCD is a continuous delivery server. In GoCD versions prior to 22.1.0, it is possible for existing authenticated users who have permissions to edit or create pipeline materials or pipeline configuration repositories to get remote code execution capability on the…
more
GoCD server via configuring a malicious branch name which abuses Mercurial hooks/aliases to exploit a command injection weakness. An attacker would require access to an account with existing GoCD administration permissions to either create/edit (`hg`-based) configuration repositories; create/edit pipelines and their (`hg`-based) materials; or, where "pipelines-as-code" configuration repositories are used, to commit malicious configuration to such an external repository which will be automatically parsed into a pipeline configuration and (`hg`) material definition by the GoCD server. This issue is fixed in GoCD 22.1.0. As a workaround, users who do not use/rely upon Mercurial materials can uninstall/remove the `hg`/Mercurial binary from the underlying GoCD Server operating system or Docker image.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.