{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-21T00:32:44.691","vulnerabilities":[{"cve":{"id":"CVE-2024-56322","sourceIdentifier":"security-advisories@github.com","published":"2025-01-03T16:15:26.480","lastModified":"2026-06-17T08:12:02.503","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control."},{"lang":"es","value":"GoCD es un servidor de entrega continua. Las versiones de GoCD 16.7.0 a 24.4.0 (incluida) pueden permitir que los administradores de GoCD abusen de una característica oculta/no utilizada del repositorio de configuración (canalizaciones como código) para permitir la inyección de XML External Entity (XXE) en el servidor de GoCD, que se ejecutará cuando GoCD escanee periódicamente los repositorios de configuración en busca de actualizaciones de canalizaciones, o sea activada por un administrador o administrador del repositorio de configuración. En la práctica, el impacto de esta vulnerabilidad es limitado, en la mayoría de los casos sin combinarse con otra vulnerabilidad, ya que solo los administradores (super) de GoCD tienen la capacidad de aprovechar esta vulnerabilidad. Por lo general, un administrador malintencionado de GoCD puede causar un daño mucho mayor que el que puede causar con la inyección de XXE. El problema se solucionó en GoCD 24.5.0. Como workaround, evite el acceso externo desde el servidor de GoCD a ubicaciones arbitrarias utilizando algún tipo de control de salida del entorno."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"gocd","product":"gocd","versions":[{"version":">= 16.7.0, < 24.5.0","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.1,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-01-03T17:09:40.613611Z","id":"CVE-2024-56322","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-611"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:thoughtworks:gocd:*:*:*:*:*:*:*:*","versionStartIncluding":"16.7.0","versionEndExcluding":"24.5.0","matchCriteriaId":"2A810379-5DD5-4A23-8C3D-A43D6CF8BBF9"}]}]}],"references":[{"url":"https://github.com/gocd/gocd/commit/410331a97eb2935e04c1372f50658e05c533f733","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/gocd/gocd/releases/tag/24.5.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/gocd/gocd/security/advisories/GHSA-8xwx-hf68-8xq7","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://www.gocd.org/releases/#24-5-0","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}