CVE-2024-56320

High

Published: 03 January 2025

Published

03 January 2025

Modified

01 August 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0118 78.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.

Security Summary

CVE-2024-56320 is an improper authorization vulnerability (CWE-285) in GoCD, an open-source continuous delivery server. Versions prior to 24.5.0 are affected due to inadequate access controls on the admin "Configuration XML" UI feature and its associated API, enabling unauthorized access to sensitive administrative functions. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting high confidentiality, integrity, and availability impacts.

An authenticated GoCD user, such as a malicious insider with an existing account, can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows the attacker to view information restricted to GoCD administrators or persistently escalate their privileges to full admin level. Prior authentication is necessary, preventing unauthenticated abuse.

The vulnerability is fixed in GoCD version 24.5.0, as detailed in the official release notes and security advisory. For those unable to upgrade immediately, mitigations include blocking access to paths with the /go/rails/ prefix using a reverse proxy or WAF, which incurs no functionality loss. Alternatively, administrators should reduce the user base to trusted individuals and disable plugins like guest-login-plugin that enable anonymous access as regular users. Relevant resources include the GoCD GitHub security advisory (GHSA-346h-q594-rj8j), patch commit, and release page.

Details

CWE(s): CWE-285

Affected Products

thoughtworks

gocd

≤ 24.5.0

References

https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165
Patch · security-advisories@github.com
https://github.com/gocd/gocd/releases/tag/24.5.0
Release Notes · security-advisories@github.com
https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j
Vendor Advisory · security-advisories@github.com
https://www.gocd.org/releases/#24-5-0
Release Notes · security-advisories@github.com