Impact
GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed for agent communication allowed deserialization of arbitrary java objects, and subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability.
Patches
Fixed in GoCD 21.1.0.
Workarounds
None known.
References
For more information
If you have any questions or comments about this advisory:
denandz Analyst
Impact
GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed for agent communication allowed deserialization of arbitrary java objects, and subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability.
Patches
Fixed in GoCD 21.1.0.
Workarounds
None known.
References
For more information
If you have any questions or comments about this advisory: