Skip to main content

Gocd CVE-2024-56324

LOW
Improper Restriction of XML External Entity Reference (CWE-611)
2025-01-03 security-advisories@github.com
2.1
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:01 vuln.today
Patch released
Mar 28, 2026 - 18:01 nvd
Patch available
CVE Published
Jan 03, 2025 - 16:15 nvd
LOW 2.1

DescriptionGitHub Advisory

GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to /go/*/pipelines/snippet routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.

AnalysisAI

GoCD is a continuous deliver server. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Technical ContextAI

This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to /go/*/pipelines/snippet routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control. Affected products include: Thoughtworks Gocd. Version information: prior to 24.4.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.

More in Gocd

View all
CVE-2021-44659 CRITICAL POC
9.8 Dec 22

Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action

CVE-2022-39311 HIGH
8.8 Oct 14

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2022-29184 HIGH
8.8 May 20

GoCD is a continuous delivery server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2021-25924 HIGH
8.8 Apr 01

In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/

CVE-2022-24832 MEDIUM
6.8 Apr 11

GoCD is an open source a continuous delivery server. Rated medium severity (CVSS 6.8), this vulnerability is remotely ex

CVE-2022-39310 MEDIUM
6.5 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2022-39309 MEDIUM
6.5 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2024-28866 MEDIUM
6.1 May 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-29183 MEDIUM
6.1 May 20

GoCD is a continuous delivery server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no a

CVE-2022-39308 MEDIUM
5.9 Oct 14

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no a

CVE-2022-36088 MEDIUM
5.5 Sep 07

GoCD is a continuous delivery server. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Thi

CVE-2023-28629 MEDIUM
5.4 Mar 27

GoCD is an open source continuous delivery server. Rated medium severity (CVSS 5.4), this vulnerability is remotely expl

Share

CVE-2024-56324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy