GoCD XXE Injection Vulnerability in Group Admin Pipeline XML Editing

A vulnerability allowing XML External Entity (XXE) injection has been identified in GoCD, a continuous delivery server, in versions prior to 24.5.0. This issue arises from the ability of 'group admins' to edit raw XML configurations for their groups, which can be exploited to inject malicious XML that the server processes. While this XXE vulnerability could theoretically lead to additional attacks such as Server-Side Request Forgery (SSRF), information disclosure, or directory traversal, these secondary exploits have not been demonstrated as possible.

Impact

Exploitation of this vulnerability allows for XXE injection, which could be used to read arbitrary files on the server or potentially lead to a Server-Side Request Forgery (SSRF) attack, according to the advisory. Additionally, this vulnerability could be used to disclose information from the GoCD server or traverse directories, although these latter impacts have not been explicitly proven as exploitable.

Remediation

This vulnerability has been fixed in GoCD version 24.5.0. Users can upgrade to this version to address the issue. If an immediate upgrade is not possible, it is recommended to block access to '/go/*/pipelines/snippet' routes from an external reverse proxy or Web Application Firewall (WAF), especially if 'group admin' users do not need to edit pipeline XML directly. Another workaround is to prevent external access from the GoCD server to arbitrary locations using environment egress controls.