CVE - CVE-2024-56321

CVE-ID
CVE-2024-56321	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0 URL:https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0 MISC:https://github.com/gocd/gocd/releases/tag/24.5.0 URL:https://github.com/gocd/gocd/releases/tag/24.5.0 MISC:https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq URL:https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq MISC:https://www.gocd.org/releases/#24-5-0 URL:https://www.gocd.org/releases/#24-5-0
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20241218	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20241218)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)