CVE-2024-56322

GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality

Severity Score

2.1

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Attack Requirements

None

Privileges Required

High

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

Low

None

Integrity

Low

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-12-18 CVE Reserved
2025-01-03 CVE Published
2025-01-03 CVE Updated
2025-01-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (4)

URL	Tag	Source
https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733	X_refsource_misc
https://github.com/gocd/gocd/releases/tag/24.5.0	X_refsource_misc
https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7	X_refsource_confirm
https://www.gocd.org/releases/#24-5-0	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gocd Search vendor "Gocd"		Gocd Search vendor "Gocd" for product "Gocd"				>= 16.7.0 < 24.5.0 Search vendor "Gocd" for product "Gocd" and version " >= 16.7.0 < 24.5.0"		en		Affected