CVE-2024-56322
Published: 03 January 2025
Summary
CVE-2024-56322 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Thoughtworks Gocd. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching GoCD to version 24.5.0 directly eliminates the XXE vulnerability in the configuration repository scanning feature.
Information input validation ensures XML parsed during config repo scans rejects or sanitizes external entity references, preventing XXE injection.
Boundary protection with egress filtering blocks the GoCD server from accessing arbitrary external locations needed for XXE external entity resolution, matching the recommended workaround.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE in a server component directly enables exploitation of the application (T1190); admin-only access and limited standalone impact prevent stronger mappings.
NVD Description
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be…
more
executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.
Deeper analysisAI
CVE-2024-56322 is an XML External Entity (XXE) injection vulnerability (CWE-611) affecting GoCD, a continuous delivery server, in versions 16.7.0 through 24.4.0 inclusive. The issue stems from a hidden and unused configuration repository feature, known as "pipelines as code," which GoCD admins can abuse to inject XXE payloads directly on the GoCD Server. These payloads execute when the server periodically scans configuration repositories for pipeline updates or when scans are triggered by an administrator or config repo admin.
Only GoCD super admins possess the privileges required to exploit this vulnerability. Attackers with such access can trigger XXE injection during repo scans, potentially achieving high impacts on confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). In practice, the vulnerability's impact is limited without combination with another flaw, since a malicious admin could inflict far greater damage through legitimate administrative functions.
The vulnerability is fixed in GoCD 24.5.0. As a workaround, apply environment egress controls to block the GoCD server from accessing arbitrary external locations. Official details appear in the GoCD GitHub security advisory (GHSA-8xwx-hf68-8xq7), the 24.5.0 release notes, the fixing commit (410331a97eb2935e04c1372f50658e05c533f733), and the GoCD releases page.
Details
- CWE(s)