CVE-2022-39310: 
GoCD Server vulnerability analysis and mitigation

GoCD versions prior to 21.1.0 contained a vulnerability that allowed one authenticated agent to impersonate another agent and receive work packages intended for other agents. This vulnerability (CVE-2022-39310) was discovered due to broken access control and incorrect validation of agent tokens within the GoCD server (GitHub Advisory).

The vulnerability stems from improper validation of agent UUIDs during remoting requests, which allowed authenticated agents to act on behalf of other agents. The issue received a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability (GitHub Advisory).

The vulnerability could lead to information disclosure as work packages may contain sensitive information such as credentials intended only for specific jobs running against specific agent environments. This meant that if one agent was compromised, an attacker could potentially access decrypted secrets intended for builds on other agents (GitHub Advisory).

The vulnerability was fixed in GoCD version 21.1.0. The fix involved introducing a custom HttpInvokerServiceExporter that validates the UUID from the X-Agent-GUID header matches the UUID from the deserialized AgentRuntimeInfo and AgentIdentifier objects. No known workarounds were available for earlier versions (GitHub PR).