How severe is CVE-2022-39311?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2022-39311?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2022-39311 - HIGH Severity | CVSS 8.8

Vulnerability Description

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need to either compromise an existing agent, its network communication or register a new agent to practically exploit this vulnerability. This issue is fixed in GoCD version 21.1.0. There are currently no known workarounds.

Related Vulnerabilities

CVE-2016-10753

HIGH

CVSS:8.8(High)

e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.

CWE-5022016

CVE-2016-1487

HIGH

CVSS:8.8(High)

Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization.

CWE-5022016

CVE-2016-4398

HIGH

CVSS:8.8(High)

A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization.

CWE-5022016

CVE-2016-4405

HIGH

CVSS:8.8(High)

A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26

CWE-5022016

CVE-2016-7065

HIGH

CVSS:8.8(High)

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serializ...

CWE-5022016

CVE-2016-8744

HIGH

CVSS:8.8(High)

Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration ...

CWE-5022016