{"id":"CVE-2022-39311","summary":"Compromised agents may be able to execute remote code on GoCD Server","details":"GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.","aliases":["GHSA-2hjh-3p3p-8hcm"],"modified":"2026-04-10T04:50:21.558119Z","published":"2022-10-14T00:00:00Z","database_specific":{"cwe_ids":["CWE-502"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39311.json"},"references":[{"type":"WEB","url":"https://www.gocd.org/releases/#21-1-0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39311.json"},{"type":"ADVISORY","url":"https://github.com/gocd/gocd/security/advisories/GHSA-2hjh-3p3p-8hcm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39311"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"0"},{"fixed":"5a4959c7c4ede49165ec961b0219126cd5aa9e52"}]}],"versions":["14.2.0","14.3.0","14.4.0","15.1.0","15.2.0","15.3.0","16.1.0","16.10.0","16.11.0","16.12.0","16.2.0","16.3.0","16.4.0","16.5.0","16.6.0","16.7.0","16.8.0","16.9.0","17.1.0","17.10.0","17.11.0","17.12.0","17.2.0","17.3.0","17.4.0","17.5.0","17.6.0","17.7.0","17.8.0","17.9.0","18.1.0","18.10.0","18.11.0","18.12.0","18.2.0","18.3.0","18.4.0","18.5.0","18.6.0","18.7.0","18.8.0","18.9.0","19.1.0","19.10.0","19.11.0","19.12.0","19.2.0","19.3.0","19.4.0","19.5.0","19.6.0","19.7.0","19.8.0","19.9.0","20.1.0","20.10.0","20.2.0","20.3.0","20.4.0","20.5.0","20.6.0","20.7.0","20.8.0","20.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39311.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}]}