The GoCD community only actively maintains and fixes security issues on top of the most recent released version.
Since breaking changes are rare, and generally sign-posted well in advance, we encourage users to stay on a recent or current version to allow for upgrade as easily as possible in the event of a security defect.
Having said this, wherever possible we will try and provide suggested mitigations or workarounds for older versions.
Please report any issues to https://hackerone.com/gocd according to the listed policy.
This represents the oldest versions which have no known exploitable vulnerabilities of a given severity, as assessed by GoCD maintainers and/or NIST NVD via CVSS 3.1. Users are strongly recommended to be on at least these versions; and preferably the latest version.
Without known vulns | Version |
---|---|
No >= high severity vulns | 22.1.0 |
No >= medium severity vulns | 23.1.0 |
No known vulns of any severity | 24.1.0 |
Please note that this does not mean that there are zero potential vulnerabilities known from GoCD's dependencies in this or subsequent versions. However where such vulnerabilities exist, none have been confirmed to be exploitable via GoCD itself (without a prior non-GoCD breach).
In more recent years, an effort has been made to publish and request CVEs for responsibly disclosed & fixed issues to increase transparency and help users assess risk of running older versions.
While many are available as GitHub Security Advisories, you can generally use the NIST NVD database query tools to search for those affecting your specific version by replacing the version 22.3.0
with your own and clicking "Search".
Note that this unlikely to be a complete listing of all reported, responsibly disclosed and fixed issues. If there is a publicly disclosed historical issue that is missing, please raise an issue to let us know, and we will endeavour to document it properly.
The GoCD team make a concerted effort to keep dependencies up-to-date wherever possible, however GoCD does still have some EOL dependencies with known vulnerabilities that GoCD is not vulnerable to, but which may create noise in scanner reports.
While this is a moving target the GoCD team maintain documented suppressions with commentary via:
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。