CVE-2022-29184: 
GoCD Server vulnerability analysis and mitigation

CVE-2022-29184 affects GoCD, a continuous delivery server, in versions prior to 22.1.0. The vulnerability allows authenticated users with specific permissions to achieve remote code execution on the GoCD server through malicious branch name configuration that exploits Mercurial hooks/aliases via command injection (GitHub Advisory).

The vulnerability is classified as a command injection weakness (CWE-77 and CWE-88) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attack requires an authenticated user with GoCD administration permissions to either create/edit Mercurial-based configuration repositories, create/edit pipelines with Mercurial-based materials, or commit malicious configuration to external repositories that will be parsed into pipeline configurations (GitHub Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code on the GoCD server, potentially leading to complete system compromise with high impact on confidentiality, integrity, and availability of the server (GitHub Advisory).

The vulnerability is fixed in GoCD version 22.1.0. As a workaround for users who cannot immediately upgrade, those who do not use Mercurial materials can uninstall or remove the hg/Mercurial binary from the underlying GoCD Server operating system or Docker image (GitHub Advisory).