NVD

NOTICE UPDATE

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

CVE-2022-24832 Detail

Description

GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.

Severity

CVSS 3.x Severity and Metrics:

NIST: NVD

Base Score: 6.8 MEDIUM

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Nist CVSS score does not match with CNA score

CNA: GitHub, Inc.

Base Score: 8.2 HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: It is possible that the NVD CVSS may not match that of the CNA. The most common reason for this is that publicly available information does not provide sufficient detail or that information simply was not available at the time the CVSS vector string was assigned.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication	Vendor Advisory
https://github.com/gocd/gocd-ldap-authentication-plugin	Product Third Party Advisory
https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3	Patch Third Party Advisory
https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144	Release Notes Third Party Advisory
https://github.com/gocd/gocd/pull/10244	Patch Third Party Advisory
https://github.com/gocd/gocd/releases/tag/22.1.0	Release Notes Third Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h	Third Party Advisory
https://www.gocd.org/releases/#22-1-0	Release Notes Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

1 change records found show changes

Initial Analysis by NIST 4/19/2022 11:25:05 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR cpe:2.3:a:thoughtworks:gocd::::::::* versions from (including) 17.5.0 up to (excluding) 22.1.0
Added	CVSS V2		NIST (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Added	CVSS V3.1		NIST AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Changed	Reference Type	https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication No Types Assigned	https://docs.gocd.org/22.1.0/configuration/dev_authentication.html#ldapad-authentication Vendor Advisory
Changed	Reference Type	https://github.com/gocd/gocd-ldap-authentication-plugin No Types Assigned	https://github.com/gocd/gocd-ldap-authentication-plugin Product, Third Party Advisory
Changed	Reference Type	https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3 No Types Assigned	https://github.com/gocd/gocd-ldap-authentication-plugin/commit/87fa7dac5d899b3960ab48e151881da4793cfcc3 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144 No Types Assigned	https://github.com/gocd/gocd-ldap-authentication-plugin/releases/tag/v2.2.0-144 Release Notes, Third Party Advisory
Changed	Reference Type	https://github.com/gocd/gocd/pull/10244 No Types Assigned	https://github.com/gocd/gocd/pull/10244 Patch, Third Party Advisory
Changed	Reference Type	https://github.com/gocd/gocd/releases/tag/22.1.0 No Types Assigned	https://github.com/gocd/gocd/releases/tag/22.1.0 Release Notes, Third Party Advisory
Changed	Reference Type	https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h No Types Assigned	https://github.com/gocd/gocd/security/advisories/GHSA-x5v3-x9qj-mh3h Third Party Advisory
Changed	Reference Type	https://www.gocd.org/releases/#22-1-0 No Types Assigned	https://www.gocd.org/releases/#22-1-0 Release Notes, Vendor Advisory

Quick Info

CVE Dictionary Entry:
CVE-2022-24832
NVD Published Date:
04/11/2022
NVD Last Modified:
04/19/2022
Source:
GitHub, Inc.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database