CVE-2024-56324

GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733	Patch
https://github.com/gocd/gocd/releases/tag/24.5.0	Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78	Vendor Advisory
https://www.gocd.org/releases/#24-5-0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*

History

01 Aug 2025, 19:22

Type	Values Removed	Values Added
Summary		(es) GoCD es un servidor de entrega continua. Las versiones de GoCD anteriores a la 24.4.0 pueden permitir que los "administradores de grupo" de GoCD abusen de la capacidad de editar la configuración XML sin procesar de los grupos que administran para activar la inyección de entidad externa XML (XXE) en el servidor de GoCD. En teoría, la vulnerabilidad XXE puede dar lugar a ataques adicionales, como SSRF, divulgación de información desde el servidor de GoCD y navegación de directorios, aunque no se ha demostrado explícitamente que estos ataques adicionales sean explotables. Este problema se solucionó en GoCD 24.5.0. Hay algunas workarounds disponibles. Se puede bloquear temporalmente el acceso a las rutas `/go/*/pipelines/snippet` desde un proxy inverso externo o WAF si los usuarios "administradores de grupo" no necesitan la funcionalidad para editar el XML de las canalizaciones directamente (en lugar de usar la interfaz de usuario o un repositorio de configuración). También se puede impedir el acceso externo desde el servidor de GoCD a ubicaciones arbitrarias utilizando algún tipo de control de salida del entorno.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.1
First Time		Thoughtworks Thoughtworks gocd
CPE		cpe:2.3:a:thoughtworks:gocd::::::::
References	~~() https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 -~~	() https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 - Patch
References	~~() https://github.com/gocd/gocd/releases/tag/24.5.0 -~~	() https://github.com/gocd/gocd/releases/tag/24.5.0 - Release Notes
References	~~() https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78 -~~	() https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78 - Vendor Advisory
References	~~() https://www.gocd.org/releases/#24-5-0 -~~	() https://www.gocd.org/releases/#24-5-0 - Release Notes

03 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-03 16:15

Updated : 2025-08-01 19:22

NVD link : CVE-2024-56324

Mitre link : CVE-2024-56324

CVE.ORG link : CVE-2024-56324

JSON object : View

Products Affected

thoughtworks

gocd

CWE

CWE-611

Improper Restriction of XML External Entity Reference

7.1 /10