CVE-2024-56324 (GCVE-0-2024-56324)
Vulnerability from cvelistv5
Published
2025-01-03 15:56
Modified
2025-01-03 18:05
Severity ?
2.1 (Low) - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Summary
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.
References
Impacted products
Vendor Product Version
gocd gocd Version: < 24.5.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56324",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-03T18:04:54.319891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-03T18:05:04.820Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gocd",
          "vendor": "gocd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 24.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to  `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one\u0027s \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one\u0027s GoCD server to arbitrary locations using some kind of environment egress control."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-03T15:56:52.174Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"
        },
        {
          "name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"
        },
        {
          "name": "https://github.com/gocd/gocd/releases/tag/24.5.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gocd/gocd/releases/tag/24.5.0"
        },
        {
          "name": "https://www.gocd.org/releases/#24-5-0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.gocd.org/releases/#24-5-0"
        }
      ],
      "source": {
        "advisory": "GHSA-3w9f-fgr5-5g78",
        "discovery": "UNKNOWN"
      },
      "title": "GoCD vulnerable to XXE injection via abuse of pipeline XML \"snippet\" editing by group admins"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-56324",
    "datePublished": "2025-01-03T15:56:52.174Z",
    "dateReserved": "2024-12-18T23:44:51.604Z",
    "dateUpdated": "2025-01-03T18:05:04.820Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56324\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-03T16:15:26.643\",\"lastModified\":\"2025-08-01T19:22:23.413\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \\\"group admins\\\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to  `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one\u0027s \\\"group admin\\\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one\u0027s GoCD server to arbitrary locations using some kind of environment egress control.\"},{\"lang\":\"es\",\"value\":\"GoCD es un servidor de entrega continua. Las versiones de GoCD anteriores a la 24.4.0 pueden permitir que los \\\"administradores de grupo\\\" de GoCD abusen de la capacidad de editar la configuraci\u00f3n XML sin procesar de los grupos que administran para activar la inyecci\u00f3n de entidad externa XML (XXE) en el servidor de GoCD. En teor\u00eda, la vulnerabilidad XXE puede dar lugar a ataques adicionales, como SSRF, divulgaci\u00f3n de informaci\u00f3n desde el servidor de GoCD y navegaci\u00f3n de directorios, aunque no se ha demostrado expl\u00edcitamente que estos ataques adicionales sean explotables. Este problema se solucion\u00f3 en GoCD 24.5.0. Hay algunas workarounds disponibles. Se puede bloquear temporalmente el acceso a las rutas `/go/*/pipelines/snippet` desde un proxy inverso externo o WAF si los usuarios \\\"administradores de grupo\\\" no necesitan la funcionalidad para editar el XML de las canalizaciones directamente (en lugar de usar la interfaz de usuario o un repositorio de configuraci\u00f3n). Tambi\u00e9n se puede impedir el acceso externo desde el servidor de GoCD a ubicaciones arbitrarias utilizando alg\u00fan tipo de control de salida del entorno.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"24.5.0\",\"matchCriteriaId\":\"82991491-8373-474D-95B9-F1F305632610\"}]}]}],\"references\":[{\"url\":\"https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gocd/gocd/releases/tag/24.5.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.gocd.org/releases/#24-5-0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-56324\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-03T18:04:54.319891Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-03T18:04:59.847Z\"}}], \"cna\": {\"title\": \"GoCD vulnerable to XXE injection via abuse of pipeline XML \\\"snippet\\\" editing by group admins\", \"source\": {\"advisory\": \"GHSA-3w9f-fgr5-5g78\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"gocd\", \"product\": \"gocd\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 24.5.0\"}]}], \"references\": [{\"url\": \"https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78\", \"name\": \"https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733\", \"name\": \"https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gocd/gocd/releases/tag/24.5.0\", \"name\": \"https://github.com/gocd/gocd/releases/tag/24.5.0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.gocd.org/releases/#24-5-0\", \"name\": \"https://www.gocd.org/releases/#24-5-0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \\\"group admins\\\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to  `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one\u0027s \\\"group admin\\\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one\u0027s GoCD server to arbitrary locations using some kind of environment egress control.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-03T15:56:52.174Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-56324\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-03T18:05:04.820Z\", \"dateReserved\": \"2024-12-18T23:44:51.604Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-03T15:56:52.174Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.