Impact
Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation.
This does not affect zip file-based installs, installations to other platforms, or installations inside Program Files or Program Files (x86).
Patches
Fixed in GoCD 22.2.0 installers.
Workarounds
If your server or agent is installed outside of Program Files (x86), verify the the permission of the Server or Agent installation directory to ensure the Everyone user group does not have Full Control, Modify or Write permissions.
References
For more information
If you have any questions or comments about this advisory:
Impact
Windows installations via either the server or agent installers for GoCD prior to 22.2.0 do not adequately restrict permissions when installing outside of the default location. This could allow a malicious user with local access to the server GoCD Server or Agent are installed on to modify executables or components of the installation.
This does not affect zip file-based installs, installations to other platforms, or installations inside
Program FilesorProgram Files (x86).Patches
Fixed in GoCD 22.2.0 installers.
Workarounds
If your server or agent is installed outside of
Program Files (x86), verify the the permission of the Server or Agent installation directory to ensure the Everyone user group does not have Full Control, Modify or Write permissions.References
For more information
If you have any questions or comments about this advisory: