CVE-2024-56321

Name of the Vulnerable Software and Affected Versions GoCD versions 18.9.0 through 24.4.0

Description The issue exists due to incorrect restriction of the path name to a directory with limited access. This can allow a remote attacker to execute arbitrary code. Specifically, GoCD admins can abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user. The impact of this vulnerability is limited in most configurations, as a user who can log into the GoCD UI as an admin often has host administration permissions. However, in restricted environments where host administration is separated from the role of a GoCD admin, this may be unexpected.

Recommendations For GoCD versions 18.9.0 through 24.4.0, update to version 24.5.0 or later, where post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. As a temporary workaround, consider restricting access to the backup configuration "post-backup script" feature to minimize the risk of exploitation. Additionally, restrict the ability of GoCD admins to configure and schedule pipeline tasks on all GoCD agents available to the server, to prevent co-ordinated task execution similar to that of post-backup-scripts.