cvedb.io
CVE-2022-39308
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2022-10-14T19:15:18.310 · Last modified 2026-06-17T04:58:06.910

Summary

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access token

Affected products

thoughtworks — gocd

Does this affect you?

Add your gear to cvedb and we'll alert you only when thoughtworks ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.