GoCD Privilege Escalation Vulnerability in Configuration XML UI

A vulnerability allowing admin privilege escalation has been identified in GoCD versions prior to 24.5.0. This issue arises from improper authorization of access to the admin 'Configuration XML' user interface and its related API. As a result, a malicious insider or authenticated GoCD user could exploit this vulnerability to gain access to information reserved for GoCD admins or to permanently elevate their privileges to that of an admin. The vulnerability cannot be exploited before authentication.

Impact

Exploitation of this vulnerability allows authenticated users to escalate their privileges to that of a GoCD admin, granting them access to admin-only information and functionalities.

Reproduction

To reproduce this vulnerability, an authenticated GoCD user must access the admin 'Configuration XML' UI feature or its associated API. This can be done by logging into a GoCD account and navigating to the vulnerable admin configuration section, which is accessible without proper authorization checks.

Remediation

Users can upgrade to GoCD version 24.5.0, where this vulnerability has been fixed. For those unable to upgrade immediately, it is recommended to use a reverse proxy or Web Application Firewall (WAF) to block access to paths that begin with '/go/rails/', as this blockage does not disrupt GoCD's functionality. If neither option is feasible, consider limiting GoCD user accounts to a more trusted group and disabling plugins that allow anonymous access.