CVE-2022-29183

Name: CVE-2022-29183
Creator: NVD / NIST
Published: 2022-05-20T19:15:08.333+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.1/10EPSS 0.80%

Last modified Jun 17, 2026

CVE-2022-29183 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. EPSS estimates a 0.80% chance of exploitation in the next 30 days.

Description

GoCD is a continuous delivery server. GoCD versions 20.2.0 until 21.4.0 are vulnerable to reflected cross-site scripting via abuse of the pipeline comparison function's error handling to render arbitrary HTML into the returned page. This could allow an attacker to trick a victim into executing code which would allow the attacker to operate on, or gain control over the same resources as the victim had access to. This issue is fixed in GoCD 21.4.0. As a workaround, block access to `/go/compare/.*` prior to GoCD Server via a reverse proxy, web application firewall or equivalent, which would prevent use of the pipeline comparison function.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.80%

51.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Thoughtworks	Gocd	>= 20.2.0, < 21.4.0

References

https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1Patch
https://github.com/gocd/gocd/releases/tag/21.4.0Release Notes, Third Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gfThird Party Advisory
https://www.gocd.org/releases/#21-4-0Release Notes, Vendor Advisory
https://github.com/gocd/gocd/pull/9829/commits/bda81084c0401234b168437cf35a63390e3064d1Patch
https://github.com/gocd/gocd/releases/tag/21.4.0Release Notes, Third Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-3vvq-q4qv-x2gfThird Party Advisory
https://www.gocd.org/releases/#21-4-0Release Notes, Vendor Advisory

Timeline

Published: May 20, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-29183?

How severe is CVE-2022-29183?

CVE-2022-29183 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.80% probability of exploitation in the next 30 days.

How do I fix CVE-2022-29183?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-29183?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST