CVE-2023-28630: 
GoCD Server vulnerability analysis and mitigation

GoCD, an open source continuous delivery server, versions from 20.5.0 to 23.1.0 contained a vulnerability where database credentials could be exposed in admin alerts if the server was misconfigured. The vulnerability (CVE-2023-28630) was discovered and disclosed in March 2023. The issue specifically affects environments where backups are enabled but the server lacks access to PostgreSQL's pg_dump or MySQL's mysqldump utility tools (NIST, GitHub Advisory).

The vulnerability is triggered when the GoCD server host is misconfigured with backups enabled but lacks access to the required backup utilities (pg_dump for PostgreSQL or mysqldump for MySQL). In such cases, when the backup attempt fails, the shell environment used for the launch attempt is reported in the server admin alert, which includes the plaintext database password that was supplied to the configured tool. The vulnerability has a CVSS v3.1 base score of 4.2 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N (NIST).

If exploited, this vulnerability could lead to the exposure of database credentials through admin alerts in the GoCD user interface. The vulnerability only affects PostgreSQL and MySQL database configurations - it does not impact the default on-disk H2 database that GoCD typically uses (GitHub Advisory).

The vulnerability has been fixed in GoCD version 23.1.0. For users unable to upgrade immediately, there are two recommended workarounds: either disable backups entirely, or ensure that the required pg_dump (PostgreSQL) or mysqldump (MySQL) binaries are available on the GoCD server when backups are triggered (GitHub Advisory).