CVE-2024-56321

GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0	Patch
https://github.com/gocd/gocd/releases/tag/24.5.0	Release Notes
https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq	Vendor Advisory
https://www.gocd.org/releases/#24-5-0	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-03 16:15

Updated : 2025-08-01 20:03

NVD link : CVE-2024-56321

Mitre link : CVE-2024-56321

CVE.ORG link : CVE-2024-56321

JSON object : View

Products Affected

thoughtworks

gocd

CWE

CWE-20

Improper Input Validation

CWE-36

Absolute Path Traversal

{"id": "CVE-2024-56321", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.2}]}, "published": "2025-01-03T16:15:26.340", "references": [{"url": "https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/gocd/gocd/releases/tag/24.5.0", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.gocd.org/releases/#24-5-0", "tags": ["Release Notes"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-36"}]}], "descriptions": [{"lang": "en", "value": "GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration \"post-backup script\" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available."}, {"lang": "es", "value": "GoCD es un servidor de entrega continua. Las versiones de GoCD 18.9.0 a 24.4.0 (incluida) pueden permitir que los administradores de GoCD abusen de la funci\u00f3n de \"script posterior a la copia de seguridad\" de la configuraci\u00f3n de copia de seguridad para ejecutar potencialmente scripts arbitrarios en el servidor o contenedor de alojamiento como usuario de GoCD, en lugar de scripts preconfigurados. En la pr\u00e1ctica, el impacto de esta vulnerabilidad es limitado, ya que en la mayor\u00eda de las configuraciones, un usuario que puede iniciar sesi\u00f3n en la interfaz de usuario de GoCD como administrador tambi\u00e9n tiene permisos de administraci\u00f3n de host para el host/contenedor en el que se ejecuta GoCD, con el fin de administrar el almacenamiento de artefactos y otras opciones de configuraci\u00f3n a nivel de servicio. Adem\u00e1s, dado que un administrador de GoCD tiene la capacidad de configurar y programar tareas de canalizaci\u00f3n en todos los agentes de GoCD disponibles para el servidor, la funcionalidad fundamental de GoCD permite la ejecuci\u00f3n coordinada de tareas similar a la de los scripts posteriores a la copia de seguridad. Sin embargo, en entornos restringidos donde la administraci\u00f3n del host est\u00e1 separada del rol de un administrador de GoCD, esto puede ser inesperado. El problema se solucion\u00f3 en GoCD 24.5.0. Los scripts posteriores a la copia de seguridad ya no se pueden ejecutar desde ciertas ubicaciones confidenciales del servidor GoCD. No se conocen workarounds."}], "lastModified": "2025-08-01T20:03:29.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E635C706-A9AD-4E3E-8ADB-D0E39CF5ECC9", "versionEndExcluding": "24.5.0", "versionStartIncluding": "18.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}