Impact
GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. Users who do not use secret variables or store passwords/credentials for connectivity with external systems/source control servers within the GoCD server configuration are unaffected by this vulnerability.
Patches
Fixed in GoCD 21.1.0.
Workarounds
None known.
References
For more information
If you have any questions or comments about this advisory:
denandz Analyst
Impact
GoCD versions prior to 21.1.0 leak the symmetric key used to encrypt/decrypt any secure variables/secrets in GoCD configuration to authenticated agents. A malicious/compromised agent may then expose that key from memory, and potentially allow an attacker the ability to decrypt secrets intended for other agents/environments if they also are able to obtain access to encrypted configuration values from the GoCD server. Users who do not use secret variables or store passwords/credentials for connectivity with external systems/source control servers within the GoCD server configuration are unaffected by this vulnerability.
Patches
Fixed in GoCD 21.1.0.
Workarounds
None known.
References
For more information
If you have any questions or comments about this advisory: