CVE-2022-36088 in GoCD
Summary
by MITRE • 09/08/2022
GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/14/2022
The vulnerability identified as CVE-2022-36088 affects GoCD continuous delivery server installations on Windows systems prior to version 22.2.0. This issue specifically impacts installations that occur outside of the standard Program Files directories, creating a significant security risk for organizations relying on GoCD for their automated deployment processes. The flaw represents a critical permission misconfiguration that undermines the integrity of the installation process and exposes the system to potential compromise through local privilege escalation attacks.
The technical root cause of this vulnerability lies in the installer's failure to properly enforce access control restrictions when GoCD server or agent components are installed in non-standard directories. According to CWE-276, this constitutes an improper privilege assignment vulnerability where the installation process grants excessive permissions to the Everyone user group. The installer does not adequately validate or restrict directory permissions, allowing local users to gain write access to critical executable components and installation directories. This misconfiguration creates an attack surface where malicious actors with local system access can modify core GoCD components, potentially leading to arbitrary code execution or complete system compromise.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it fundamentally compromises the integrity of the continuous delivery pipeline. Attackers who gain local access to a GoCD server or agent machine can manipulate the installation to inject malicious code, modify build processes, or redirect deployment targets. This represents a serious concern for organizations that depend on GoCD for automated software delivery, as the compromise of a single agent or server installation could affect multiple projects and deployment environments. The vulnerability affects Windows-specific installations and does not impact zip-based deployments or installations on other operating systems, but it does specifically exclude installations within the standard Program Files directories where proper permission controls are already enforced.
Organizations can mitigate this vulnerability through several approaches, with the primary recommendation being the upgrade to GoCD version 22.2.0 or later, which includes fixed installer logic that properly enforces access restrictions. For environments where immediate upgrades are not feasible, administrators should implement manual permission verification procedures for installations outside of Program Files directories. This aligns with ATT&CK technique T1068, which involves local privilege escalation through improper permissions, and emphasizes the importance of proper access control enforcement. The workaround requires checking that the Everyone user group does not possess Full Control, Modify, or Write permissions on the installation directories, effectively preventing unauthorized modifications to critical system components. This remediation approach directly addresses the permission misconfiguration that enables the vulnerability while maintaining operational continuity during the transition period.