CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56324 – GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins
https://notcve.org/view.php?id=CVE-2024-56324
03 Jan 2025 — GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD ... • https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56322 – GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality
https://notcve.org/view.php?id=CVE-2024-56322
03 Jan 2025 — GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vu... • https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56321 – GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access
https://notcve.org/view.php?id=CVE-2024-56321
03 Jan 2025 — GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, ... • https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0 • CWE-20: Improper Input Validation CWE-36: Absolute Path Traversal •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56320 – GoCD vulnerable to admin privilege escalation by a malicious internal/existing authenticated user
https://notcve.org/view.php?id=CVE-2024-56320
03 Jan 2025 — GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerabili... • https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165 • CWE-285: Improper Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28866 – GoCD vulnerable to reflected Cross-site Scripting possible on server loading page during start-up
https://notcve.org/view.php?id=CVE-2024-28866
13 May 2024 — GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while GoCD is starting, via abuse of a `redirect_to` query parameter with inadequate validation. Attackers could theoretically abuse the query parameter to steal session tokens or other values from the user's browser. In practice exploiting this to perform privileged actions is likely rather difficult to exploit becau... • https://github.com/gocd/gocd/commit/388d8893ec4cac51d2b76e923cc9b55c7703e402 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28629 – Stored XSS possible on VSM and Job Details pages via malicious pipeline label configuration in gocd
https://notcve.org/view.php?id=CVE-2023-28629
27 Mar 2023 — GoCD is an open source continuous delivery server. GoCD versions before 23.1.0 are vulnerable to a stored XSS vulnerability, where pipeline configuration with a malicious pipeline label configuration can affect browser display of pipeline runs generated from that configuration. An attacker that has permissions to configure GoCD pipelines could include JavaScript elements within the label template, causing a XSS vulnerability to be triggered for any users viewing the Value Stream Map or Job Details for runs ... • https://docs.gocd.org/current/configuration/pipeline_labeling.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28630 – Sensitive information disclosure possible on misconfigured failed backups of non-H2 databases in gocd
https://notcve.org/view.php?id=CVE-2023-28630
27 Mar 2023 — GoCD is an open source continuous delivery server. In GoCD versions from 20.5.0 and below 23.1.0, if the server environment is not correctly configured by administrators to provide access to the relevant PostgreSQL or MySQL backup tools, the credentials for database access may be unintentionally leaked to admin alerts on the GoCD user interface. The vulnerability is triggered only if the GoCD server host is misconfigured to have backups enabled, but does not have access to the `pg_dump` or `mysqldump` utili... • https://github.com/gocd/gocd/commit/6545481e7b36817dd6033bf614585a8db242070d • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39310 – Malicious agent may be able to impersonate another agent in GoCD
https://notcve.org/view.php?id=CVE-2022-39310
14 Oct 2022 — GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 can allow one authenticated agent to impersonate another agent, and thus receive work packages for other agents due to broken access control and incorrect validation of agent tokens within the GoCD server. Since work packages can contain sensitive information such as credentials intended only for a given job running against a specifi... • https://github.com/gocd/gocd/pull/8877 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39311 – Compromised agents may be able to execute remote code on GoCD Server
https://notcve.org/view.php?id=CVE-2022-39311
14 Oct 2022 — GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation endpoint exposed agent communication and allowed deserialization of arbitrary java objects, as well as subsequent remote code execution. Exploitation requires agent-level authentication, thus an attacker would need... • https://github.com/gocd/gocd/commit/7b88b70d6f7f429562d5cab49a80ea856e34cdc8 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39308 – GoCD API authentication of user access tokens subject to timing attack during comparison
https://notcve.org/view.php?id=CVE-2022-39308
14 Oct 2022 — GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 (inclusive) are subject to a timing attack in validation of access tokens due to use of regular string comparison for validation of the token rather than a constant time algorithm. This could allow a brute force attack on GoCD server API calls to observe timing differences in validations in order to guess an access token gener... • https://github.com/gocd/gocd/commit/236d4baf92e6607f2841c151c855adcc477238b8 • CWE-208: Observable Timing Discrepancy CWE-697: Incorrect Comparison CWE-1254: Incorrect Comparison Logic Granularity •