CVE-2022-39308: GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoC...

Description

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.62%

45.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Thoughtworks	Gocd	>= 19.2.0, < 19.11.0

References

https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8Patch, Third Party Advisory
https://github.com/gocd/gocd/releases/tag/19.11.0Release Notes, Third Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpqThird Party Advisory
https://www.gocd.org/releases/#19-11-0Release Notes, Vendor Advisory
https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8Patch, Third Party Advisory
https://github.com/gocd/gocd/releases/tag/19.11.0Release Notes, Third Party Advisory
https://github.com/gocd/gocd/security/advisories/GHSA-999p-fp84-jcpqThird Party Advisory
https://www.gocd.org/releases/#19-11-0Release Notes, Vendor Advisory

Timeline

Published: Oct 14, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-39308?

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token generated by a user for API access. This issue is fixed in GoCD version 19.11.0. As a workaround, users can apply rate limiting or insert random delays to API calls made to GoCD Server via a reverse proxy or other fronting web server. Another workaround, users may disallow use of access tokens by users by having an administrator revoke all access tokens through the "Access Token Management" admin function.

How severe is CVE-2022-39308?

CVE-2022-39308 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.62% probability of exploitation in the next 30 days.

How do I fix CVE-2022-39308?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.