GoCD XML External Entity Injection Vulnerability in Configuration Repository Feature

A vulnerability allowing XML External Entity (XXE) injection has been identified in GoCD, a continuous delivery server. This issue affects GoCD versions 16.7.0 prior to 24.5.0. The vulnerability arises from the ability of GoCD admins to exploit a hidden configuration repository feature, 'pipelines as code', leading to XXE injection on the GoCD Server. The injected XML entities are processed when GoCD scans for pipeline updates, either automatically or at the request of an administrator. While the impact is generally limited, as only GoCD (super) admins can exploit this vulnerability, a malicious admin could potentially cause more significant damage than what XXE injection alone would allow.

Impact

Exploitation of this vulnerability allows for XML External Entity injection, which can be used to read arbitrary files on the server or perform a denial-of-service attack by causing excessive resource consumption. However, in this context, the impact is somewhat mitigated by the fact that only GoCD (super) admins can exploit the vulnerability, and they typically have access to more damaging capabilities.

Reproduction

To reproduce this vulnerability, an admin can create a configuration repository that is not properly validated against XML external entity attacks. This can be done by uploading a malicious XML file that, when processed by the GoCD server, exploits the XXE vulnerability. The injection will be executed when GoCD scans for pipeline updates, either automatically or manually.

Remediation

Users can upgrade to GoCD version 24.5.0, where this vulnerability has been fixed. If an immediate upgrade is not possible, it is recommended to block external access from the GoCD server to arbitrary locations, using some form of environment egress control.