CVE-2024-56321

EPSS 0.71%
Veröffentlicht 03.01.2025 16:15:26
Zuletzt bearbeitet 01.08.2025 20:03:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Thoughtworks ≫ Gocd Version >= 18.9.0 < 24.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.71%	0.718

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.8	1.2	2.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-36 Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

https://github.com/gocd/gocd/releases/tag/24.5.0

Release Notes

https://www.gocd.org/releases/#24-5-0

Release Notes

https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0

Patch

https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-56321

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-56321

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-56321

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-56321