CVE-2024-56324
Published: 03 January 2025
Summary
CVE-2024-56324 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Thoughtworks Gocd. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the XXE vulnerability by requiring timely patching of GoCD to version 24.5.0 or later.
Enforces validation of XML inputs during group admin configuration edits to block malicious external entity payloads.
Limits access to raw XML configuration changes, aligning with workarounds to restrict group admins from using vulnerable snippet routes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE injection in exposed GoCD server config editing directly enables exploitation of public-facing app (T1190) and local file/data disclosure (T1005) by authenticated admins.
NVD Description
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server.…
more
Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's "group admin" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control.
Deeper analysisAI
CVE-2024-56324 is an XML External Entity (XXE) injection vulnerability, classified under CWE-611, affecting GoCD, an open-source continuous delivery server. The flaw exists in GoCD versions prior to 24.4.0, where group administrators can abuse their ability to edit raw XML configurations for the groups they administer. This editing capability triggers XXE processing on the GoCD server itself.
The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L), indicating a high-impact issue exploitable over the network with low complexity and low privileges. GoCD group admins with legitimate access can craft malicious XML payloads during configuration edits, potentially leading to server-side request forgery (SSRF), information disclosure from the GoCD server, or directory traversal. While these secondary impacts are theoretical and have not been explicitly demonstrated as feasible, the core XXE injection enables significant confidentiality risks.
The issue is fixed in GoCD version 24.5.0. Advisories recommend upgrading to this patched release. As workarounds, organizations can block access to the `/go/*/pipelines/snippet` routes via an external reverse proxy or WAF if group admins do not require direct XML editing (preferring the UI or configuration repositories). Additionally, implementing environment-level egress controls can prevent the GoCD server from making arbitrary outbound connections.
Details
- CWE(s)