{"id":"CVE-2024-56321","summary":"GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access","details":"GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration \"post-backup script\" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available.","aliases":["GHSA-7jr3-gh3w-vjxq"],"modified":"2026-04-02T12:24:44.556199Z","published":"2025-01-03T15:41:40.737Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56321.json","cwe_ids":["CWE-20","CWE-36"]},"references":[{"type":"WEB","url":"https://github.com/gocd/gocd/releases/tag/24.5.0"},{"type":"WEB","url":"https://www.gocd.org/releases/#24-5-0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56321.json"},{"type":"ADVISORY","url":"https://github.com/gocd/gocd/security/advisories/GHSA-7jr3-gh3w-vjxq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56321"},{"type":"FIX","url":"https://github.com/gocd/gocd/commit/631f315d17fcb73f310eee6c881974c9b55ca9f0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gocd/gocd","events":[{"introduced":"f202ea9416939d7ce356cf3939239ef953ec423b"},{"fixed":"8f7bf5297c90c909e42d030baad54a1d32701c65"}]}],"versions":["18.10.0","18.11.0","18.12.0","18.9.0","19.1.0","19.10.0","19.11.0","19.12.0","19.2.0","19.3.0","19.4.0","19.5.0","19.6.0","19.7.0","19.8.0","19.9.0","20.1.0","20.10.0","20.2.0","20.3.0","20.4.0","20.5.0","20.6.0","20.7.0","20.8.0","20.9.0","21.1.0","21.2.0","21.3.0","21.4.0","22.1.0","22.2.0","22.3.0","23.1.0","23.2.0","23.3.0","23.4.0","23.5.0","24.1.0","24.2.0","24.3.0","24.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56321.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"}]}