CVE-2024-56322

GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733	Patch
https://github.com/gocd/gocd/releases/tag/24.5.0	Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7	Vendor Advisory
https://www.gocd.org/releases/#24-5-0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*

History

01 Aug 2025, 19:24

Type	Values Removed	Values Added
References	~~() https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 -~~	() https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 - Patch
References	~~() https://github.com/gocd/gocd/releases/tag/24.5.0 -~~	() https://github.com/gocd/gocd/releases/tag/24.5.0 - Release Notes
References	~~() https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7 -~~	() https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7 - Vendor Advisory
References	~~() https://www.gocd.org/releases/#24-5-0 -~~	() https://www.gocd.org/releases/#24-5-0 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CPE		cpe:2.3:a:thoughtworks:gocd::::::::
First Time		Thoughtworks Thoughtworks gocd
Summary		(es) GoCD es un servidor de entrega continua. Las versiones de GoCD 16.7.0 a 24.4.0 (incluida) pueden permitir que los administradores de GoCD abusen de una característica oculta/no utilizada del repositorio de configuración (canalizaciones como código) para permitir la inyección de XML External Entity (XXE) en el servidor de GoCD, que se ejecutará cuando GoCD escanee periódicamente los repositorios de configuración en busca de actualizaciones de canalizaciones, o sea activada por un administrador o administrador del repositorio de configuración. En la práctica, el impacto de esta vulnerabilidad es limitado, en la mayoría de los casos sin combinarse con otra vulnerabilidad, ya que solo los administradores (super) de GoCD tienen la capacidad de aprovechar esta vulnerabilidad. Por lo general, un administrador malintencionado de GoCD puede causar un daño mucho mayor que el que puede causar con la inyección de XXE. El problema se solucionó en GoCD 24.5.0. Como workaround, evite el acceso externo desde el servidor de GoCD a ubicaciones arbitrarias utilizando algún tipo de control de salida del entorno.

03 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-03 16:15

Updated : 2025-08-01 19:24

NVD link : CVE-2024-56322

Mitre link : CVE-2024-56322

CVE.ORG link : CVE-2024-56322

JSON object : View

Products Affected

thoughtworks

gocd

CWE

CWE-611

Improper Restriction of XML External Entity Reference

7.2 /10