CVE-2024-56324 – GoCD versions before 24.5.0 contain an XML Exte... (How to Fix)

Q: What is the severity of CVE-2024-56324?

CVE-2024-56324 has a CVSS score of 7.1 (HIGH). GoCD versions before 24.5.0 contain an XML External Entity (XXE) vulnerability that allows group administrators to inject malicious XML when editing pipeline configurations. This could lead to server-side request forgery (SSRF), information disclosure, or directory traversal attacks. Only GoCD instances with group admin users who can edit XML configurations are affected.

📋 TL;DR

GoCD versions before 24.5.0 contain an XML External Entity (XXE) vulnerability that allows group administrators to inject malicious XML when editing pipeline configurations. This could lead to server-side request forgery (SSRF), information disclosure, or directory traversal attacks. Only GoCD instances with group admin users who can edit XML configurations are affected.

💻 Affected Systems

Products:

GoCD

Versions: All versions prior to 24.5.0

Operating Systems: All platforms running GoCD

Default Config Vulnerable: ⚠️ Yes

Notes: Requires group admin privileges to exploit. The vulnerability exists in the pipeline XML editing functionality.

📦 What is this software?

Gocd by Thoughtworks

View all CVEs affecting Gocd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Group admin could read arbitrary files from the GoCD server, perform SSRF attacks against internal systems, or potentially execute remote code through XXE processing.

🟠

Likely Case

Information disclosure from the GoCD server filesystem, including configuration files, credentials, or sensitive data stored on the server.

🟢

If Mitigated

Limited impact with proper network segmentation and egress controls preventing external requests from the GoCD server.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires group admin privileges and knowledge of XXE payloads. No public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.5.0

Vendor Advisory: https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78

Restart Required: No

Instructions:

1. Backup your GoCD configuration and data. 2. Download GoCD 24.5.0 from the official releases page. 3. Follow the upgrade instructions for your deployment method (package, Docker, manual). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Block XML editing endpoints

all

Temporarily block access to vulnerable endpoints via reverse proxy or WAF if group admins don't need direct XML editing

Block requests to /go/*/pipelines/snippet

Implement egress controls

all

Prevent GoCD server from making outbound requests to arbitrary locations

Configure firewall rules to restrict outbound connections from GoCD server

🧯 If You Can't Patch

Remove group admin privileges from untrusted users
Implement strict network segmentation to limit GoCD server's access to internal resources

🔍 How to Verify

Check if Vulnerable:

Check GoCD version via admin interface or by examining server logs/configuration

Check Version:

Check GoCD server logs for version information or use the admin dashboard

Verify Fix Applied:

Verify version is 24.5.0 or later and test that XXE payloads in pipeline XML are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Requests to /go/*/pipelines/snippet with XML content
Outbound requests from GoCD server to unexpected destinations

Network Indicators:

GoCD server making HTTP requests to internal systems it shouldn't access
Unusual file read patterns from the GoCD server

SIEM Query:

source="gocd" AND (uri="/go/*/pipelines/snippet" OR message="XML parsing error")

📊 Metadata

CVE ID: CVE-2024-56324

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

CWE: CWE-611

EPSS Score: 0.11% exploit probability (28.8th percentile)

Published: January 3, 2025

Last Updated: August 1, 2025

🔗 References

https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733 Patch
https://github.com/gocd/gocd/releases/tag/24.5.0 Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-3w9f-fgr5-5g78 Vendor Advisory
https://www.gocd.org/releases/#24-5-0 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56324, you might also want to check these: