CVE-2022-36088 MEDIUM

CVE-2022-36088: GoCD Windows installations outside default location inadequately restrict installation file permissions

Vendor Gocd

Product gocd

Weakness CWE-284

Published September 7, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

GoCD is a continuous delivery server. Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation. This does not affect zip file-based installs, installations to other platforms, or installations inside `Program Files` or `Program Files (x86)`. This issue is fixed in GoCD 22.2.0 installers. As a workaround, if the server or agent is installed outside of `Program Files (x86)`, verify the the permission of the Server or Agent installation directory to ensure the `Everyone` user group does not have `Full Control`, `Modify` or `Write` permissions.

Key dates

02Disclosure timeline

September 7, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-36088 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2022-36088: GoCD Windows installations outside default location inadequately restrict installation file permissions

01Description

02Disclosure timeline

03References

04Related CVE