CVE-2024-56320
Published: 03 January 2025
Summary
CVE-2024-56320 is a high-severity Improper Authorization (CWE-285) vulnerability in Thoughtworks Gocd. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to prevent authenticated users from reaching admin-only Configuration XML UI and API features.
Requires identification, reporting, and timely remediation of flaws like this improper authorization vulnerability through patching to GoCD 24.5.0.
Applies least privilege to limit necessary user access and regularly reviews privileges, mitigating the impact of potential escalation to admin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization directly enables authenticated low-privileged users to access admin-only Configuration XML functions and APIs, resulting in persistent privilege escalation to full administrator level.
NVD Description
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user…
more
with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.
Deeper analysisAI
CVE-2024-56320 is an improper authorization vulnerability (CWE-285) in GoCD, an open-source continuous delivery server. Versions prior to 24.5.0 are affected due to inadequate access controls on the admin "Configuration XML" UI feature and its associated API, enabling unauthorized access to sensitive administrative functions. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting high confidentiality, integrity, and availability impacts.
An authenticated GoCD user, such as a malicious insider with an existing account, can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows the attacker to view information restricted to GoCD administrators or persistently escalate their privileges to full admin level. Prior authentication is necessary, preventing unauthenticated abuse.
The vulnerability is fixed in GoCD version 24.5.0, as detailed in the official release notes and security advisory. For those unable to upgrade immediately, mitigations include blocking access to paths with the /go/rails/ prefix using a reverse proxy or WAF, which incurs no functionality loss. Alternatively, administrators should reduce the user base to trusted individuals and disable plugins like guest-login-plugin that enable anonymous access as regular users. Relevant resources include the GoCD GitHub security advisory (GHSA-346h-q594-rj8j), patch commit, and release page.
Details
- CWE(s)