{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56324", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-12-18T23:44:51.604Z", "datePublished": "2025-01-03T15:56:52.174Z", "dateUpdated": "2025-01-03T18:05:04.820Z"}, "containers": {"cna": {"title": "GoCD vulnerable to XXE injection via abuse of pipeline XML \"snippet\" editing by group admins", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.1, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"}, {"name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733", "tags": ["x_refsource_MISC"], "url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"}, {"name": "https://github.com/gocd/gocd/releases/tag/24.5.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/gocd/gocd/releases/tag/24.5.0"}, {"name": "https://www.gocd.org/releases/#24-5-0", "tags": ["x_refsource_MISC"], "url": "https://www.gocd.org/releases/#24-5-0"}], "affected": [{"vendor": "gocd", "product": "gocd", "versions": [{"version": "< 24.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-03T15:56:52.174Z"}, "descriptions": [{"lang": "en", "value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control."}], "source": {"advisory": "GHSA-3w9f-fgr5-5g78", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-03T18:04:54.319891Z", "id": "CVE-2024-56324", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-03T18:05:04.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-56324", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-03T18:04:54.319891Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-03T18:04:59.847Z"}}], "cna": {"title": "GoCD vulnerable to XXE injection via abuse of pipeline XML \"snippet\" editing by group admins", "source": {"advisory": "GHSA-3w9f-fgr5-5g78", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "gocd", "product": "gocd", "versions": [{"status": "affected", "version": "< 24.5.0"}]}], "references": [{"url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78", "name": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733", "name": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gocd/gocd/releases/tag/24.5.0", "name": "https://github.com/gocd/gocd/releases/tag/24.5.0", "tags": ["x_refsource_MISC"]}, {"url": "https://www.gocd.org/releases/#24-5-0", "name": "https://www.gocd.org/releases/#24-5-0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-03T15:56:52.174Z"}}}, "cveMetadata": {"cveId": "CVE-2024-56324", "state": "PUBLISHED", "dateUpdated": "2025-01-03T18:05:04.820Z", "dateReserved": "2024-12-18T23:44:51.604Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-01-03T15:56:52.174Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD \"group admins\" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one's \"group admin\" users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one's GoCD server to arbitrary locations using some kind of environment egress control."}], "id": "CVE-2024-56324", "lastModified": "2025-01-03T16:15:26.643", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-03T16:15:26.643", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733"}, {"source": "security-advisories@github.com", "url": "https://github.com/gocd/gocd/releases/tag/24.5.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78"}, {"source": "security-advisories@github.com", "url": "https://www.gocd.org/releases/#24-5-0"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}