CVE-2024-56320
GoCD Unauthorized Admin Access Privilege Escalation
Description
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account.
INFO
Published Date :
Jan. 3, 2025, 4:15 p.m.
Last Modified :
Aug. 1, 2025, 8:09 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-56320.
| URL | Resource |
|---|---|
| https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165 | Patch |
| https://github.com/gocd/gocd/releases/tag/24.5.0 | Release Notes |
| https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j | Vendor Advisory |
| https://www.gocd.org/releases/#24-5-0 | Release Notes |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-56320 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-56320
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-56320 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-56320 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Aug. 01, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:* versions up to (excluding) 24.5.0 Added Reference Type GitHub, Inc.: https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/gocd/gocd/releases/tag/24.5.0 Types: Release Notes Added Reference Type GitHub, Inc.: https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j Types: Vendor Advisory Added Reference Type GitHub, Inc.: https://www.gocd.org/releases/#24-5-0 Types: Release Notes -
New CVE Received by [email protected]
Jan. 03, 2025
Action Type Old Value New Value Added Description GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin "Configuration XML" UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-285 Added Reference https://github.com/gocd/gocd/commit/68b598b97bd283a5a85e20d018d69fe86acf4165 Added Reference https://github.com/gocd/gocd/releases/tag/24.5.0 Added Reference https://github.com/gocd/gocd/security/advisories/GHSA-346h-q594-rj8j Added Reference https://www.gocd.org/releases/#24-5-0