CVE-2024-56322

CVE-2024-56322 is an XML External Entity (XXE) injection vulnerability (CWE-611) affecting GoCD, a continuous delivery server, in versions 16.7.0 through 24.4.0 inclusive. The issue stems from a hidden and unused configuration repository feature, known as "pipelines as code," which GoCD admins can abuse to inject XXE payloads directly on the GoCD Server. These payloads execute when the server periodically scans configuration repositories for pipeline updates or when scans are triggered by an administrator or config repo admin.

Only GoCD super admins possess the privileges required to exploit this vulnerability. Attackers with such access can trigger XXE injection during repo scans, potentially achieving high impacts on confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). In practice, the vulnerability's impact is limited without combination with another flaw, since a malicious admin could inflict far greater damage through legitimate administrative functions.

The vulnerability is fixed in GoCD 24.5.0. As a workaround, apply environment egress controls to block the GoCD server from accessing arbitrary external locations. Official details appear in the GoCD GitHub security advisory (GHSA-8xwx-hf68-8xq7), the 24.5.0 release notes, the fixing commit (410331a97eb2935e04c1372f50658e05c533f733), and the GoCD releases page.