We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-56322

GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality



Description

GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.

Reserved 2024-12-18 | Published 2025-01-03 | Updated 2025-01-03 | Assigner GitHub_M


LOW: 2.1CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-611: Improper Restriction of XML External Entity Reference

Product status

>= 16.7.0, < 24.5.0
affected

References

github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7

github.com/...ommit/410331a97eb2935e04c1372f50658e05c533f733

github.com/gocd/gocd/releases/tag/24.5.0

www.gocd.org/releases/

cve.org (CVE-2024-56322)

nvd.nist.gov (CVE-2024-56322)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-56322

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.