CVE-2023-28630 – GoCD versions 20.5.0 through 23.1.0 can leak da... (How to Fix)

Q: What is the severity of CVE-2023-28630?

CVE-2023-28630 has a CVSS score of 4.2 (MEDIUM). GoCD versions 20.5.0 through 23.1.0 can leak database credentials in admin alerts when backups are enabled but required database dump utilities are missing. This affects administrators who have misconfigured their GoCD server with database backups enabled without installing pg_dump or mysqldump tools.

📋 TL;DR

GoCD versions 20.5.0 through 23.1.0 can leak database credentials in admin alerts when backups are enabled but required database dump utilities are missing. This affects administrators who have misconfigured their GoCD server with database backups enabled without installing pg_dump or mysqldump tools.

💻 Affected Systems

Products:

GoCD

Versions: 20.5.0 through versions below 23.1.0

Operating Systems: All platforms running GoCD

Default Config Vulnerable: ✅ No

Notes: Only affects PostgreSQL or MySQL database configurations with backups enabled but missing pg_dump/mysqldump utilities. Does not affect default H2 database.

📦 What is this software?

Gocd by Thoughtworks

View all CVEs affecting Gocd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Database credentials are exposed in plaintext in the GoCD admin interface, potentially allowing attackers with admin access to compromise the database.

🟠

Likely Case

Administrators accidentally expose database passwords in admin alerts, which could be viewed by other authorized users with admin privileges.

🟢

If Mitigated

No credential exposure occurs when backups are disabled or when proper database dump utilities are installed.

🌐 Internet-Facing: MEDIUM - If GoCD admin interface is internet-accessible, exposed credentials could be harvested by attackers.

🏢 Internal Only: LOW - Requires admin access to view the alerts, limiting exposure to authorized personnel.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access to view the GoCD admin alerts interface where credentials would be displayed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.1.0

Vendor Advisory: https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv

Restart Required: Yes

Instructions:

1. Download GoCD 23.1.0 or later from https://www.gocd.org/download/ 2. Stop GoCD server 3. Backup configuration and data 4. Install new version 5. Restart GoCD server

🔧 Temporary Workarounds

Disable database backups

all

Turn off database backup functionality in GoCD configuration

Edit GoCD configuration to set backup.enabled=false

Install required database utilities

linux

Ensure pg_dump (PostgreSQL) or mysqldump (MySQL) is installed and accessible

# For PostgreSQL: sudo apt-get install postgresql-client
# For MySQL: sudo apt-get install mysql-client

🧯 If You Can't Patch

Disable database backups in GoCD configuration
Ensure only trusted administrators have access to GoCD admin interface

🔍 How to Verify

Check if Vulnerable:

Check if GoCD version is between 20.5.0 and below 23.1.0, and if using PostgreSQL/MySQL with backups enabled but missing dump utilities.

Check Version:

Check GoCD server logs or admin interface for version information

Verify Fix Applied:

Verify GoCD version is 23.1.0 or higher, or confirm backups are disabled/required utilities are installed.

📡 Detection & Monitoring

Log Indicators:

Error messages about missing pg_dump or mysqldump in GoCD server logs
Database connection strings or passwords in alert logs

Network Indicators:

Unauthorized access attempts to GoCD admin interface

SIEM Query:

Search GoCD logs for 'pg_dump not found', 'mysqldump not found', or database password patterns in alert messages

📊 Metadata

CVE ID: CVE-2023-28630

CVSS v3 Score: 4.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: March 27, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d Patch
https://github.com/gocd/gocd/releases/tag/23.1.0 Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv Patch,Vendor Advisory
https://www.gocd.org/releases/#23-1-0 Release Notes
https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d Patch
https://github.com/gocd/gocd/releases/tag/23.1.0 Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-p95w-gh78-qjmv Patch,Vendor Advisory
https://www.gocd.org/releases/#23-1-0 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28630, you might also want to check these: