Description

GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.

INFO

Published Date :

2025-01-03T15:49:48.294Z

Last Modified :

2025-01-03T17:10:02.906Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-56322 vulnerability.

Vendors Products
Thoughtworks
  • Gocd
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-56322.

URL Resource
https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 cve-icon cve-icon
https://github.com/gocd/gocd/releases/tag/24.5.0 cve-icon cve-icon
https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7 cve-icon cve-icon
https://www.gocd.org/releases/#24-5-0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact