CVE-2022-36088 is a medium-severity vulnerability affecting GoCD, a continuous delivery server widely used for automating software deployment pipelines. The issue arises specifically in Windows installations of GoCD server or agent versions prior to 22.2.0 when installed outside the default directories ("Program Files" or "Program Files (x86)"). In these cases, the installation process does not properly restrict file system permissions on the installation directory. This improper access control (CWE-284) and improper privilege management (CWE-269) allow any local user with access to the server or agent machine to modify executables or other components within the GoCD installation directory. Such modifications could lead to privilege escalation, code execution, or tampering with the continuous delivery pipeline, potentially compromising the integrity and availability of the software delivery process. Notably, this vulnerability does not affect zip file-based installations or installations on non-Windows platforms. The vendor fixed the issue in GoCD version 22.2.0 by correcting the installer permissions. A recommended workaround for affected systems is to verify and restrict NTFS permissions on the installation directory to ensure that the "Everyone" group does not have "Full Control", "Modify", or "Write" permissions, thereby preventing unauthorized local modifications. There are no known exploits in the wild reported for this vulnerability as of the published date (September 7, 2022).

For European organizations, the impact of CVE-2022-36088 primarily concerns the integrity and availability of continuous delivery pipelines managed by GoCD on Windows servers or agents installed outside default directories. An attacker with local access—such as an insider threat, compromised user account, or lateral movement from another compromised system—could alter GoCD executables or components, potentially injecting malicious code or disrupting deployment workflows. This could lead to unauthorized code execution, deployment of malicious software, or denial of service in critical software delivery environments. Given that GoCD is used in software development and operations, such tampering can undermine software supply chain security, which is a high priority in Europe due to regulatory frameworks like the EU Cybersecurity Act and NIS Directive. While the vulnerability requires local access and is mitigated by default installation paths, organizations with custom installation practices or lax local access controls are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate risk, especially in environments with privileged users or insufficient endpoint security controls.

1. Upgrade all GoCD Windows server and agent installations to version 22.2.0 or later, where the installer properly restricts permissions. 2. For existing installations outside the default directories, immediately audit NTFS permissions on the GoCD installation folder. Remove "Full Control", "Modify", or "Write" permissions from the "Everyone" group or any non-administrative users. 3. Enforce the use of default installation directories ("Program Files" or "Program Files (x86)") for GoCD installations to leverage default Windows permission protections. 4. Implement strict local user access controls and endpoint security measures to prevent unauthorized local access to build servers and agents. 5. Monitor file integrity of GoCD executables and components using file integrity monitoring tools to detect unauthorized changes. 6. Incorporate GoCD server and agent hosts into centralized logging and alerting systems to detect suspicious local activity. 7. Educate system administrators and DevOps teams on secure installation practices and the risks of improper permissions on critical infrastructure.