The GoCD community only actively maintains and fixes security issues on top of the most recent released version.

Since breaking changes are rare, and generally sign-posted well in advance, we encourage users to stay on a recent or current version to allow for upgrade as easily as possible in the event of a security defect.

Having said this, wherever possible we will try and provide suggested mitigations or workarounds for older versions.

Please report any issues to https://hackerone.com/gocd according to the listed policy.

In more recent years, an effort has been made to publish and request CVEs for responsibly disclosed & fixed issues to increase transparency and help users assess risk of running older versions.

While many are available as GitHub Security Advisories, you can generally use the NIST NVD database query tools to search for those affecting your specific version by replacing the version 22.3.0 with your own and clicking "Search".

Note that this unlikely to be a complete listing of all reported, responsibly disclosed and fixed issues. If there is a publicly disclosed historical issue that is missing, please raise an issue to let us know, and we will endeavour to document it properly.