CVE-2024-56324

Name of the Vulnerable Software and Affected Versions GoCD versions prior to 24.4.0

Description The issue is related to the incorrect restriction of XML external entity references in GoCD, a continuous delivery server. This can allow "group admins" to abuse the ability to edit raw XML configurations, potentially leading to XML External Entity (XXE) injection attacks on the GoCD server. Theoretically, this could result in additional attacks such as Server-Side Request Forgery (SSRF), information disclosure, and directory traversal. However, these additional attacks have not been explicitly demonstrated as exploitable.

Recommendations For versions prior to 24.4.0, consider updating to version 24.5.0 or later, which includes the fix for this issue. As a temporary workaround, consider blocking access to /go/*/pipelines/snippet routes from an external reverse proxy or WAF if "group admin" users do not need the functionality to edit the XML of pipelines directly. Additionally, consider preventing external access from the GoCD server to arbitrary locations using environment egress control.