logo_clicknbuy.png

CVE-2024-56322 – GoCD XXE Injection Vulnerability

The following table lists the changes that have been made to the
CVE-2024-56322 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by [email protected]

    Jan. 03, 2025

    Action Type Old Value New Value
    Added Description GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.
    Added CVSS V4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-611
    Added Reference https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733
    Added Reference https://github.com/gocd/gocd/releases/tag/24.5.0
    Added Reference https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7
    Added Reference https://www.gocd.org/releases/#24-5-0
Share the Post:

Related Posts