Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality
Vulnerability Description
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control.
CVSS Information
N/A
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Vulnerability Title
GoCD 代码问题漏洞
Vulnerability Description
GoCD是GoCD开源的一个持续交付服务器。 GoCD 16.7.0版本至24.4.0版本存在代码问题漏洞,该漏洞源于允许滥用隐藏/未使用的配置存储库功能,从而导致XML外部实体(XXE)注入漏洞。
CVSS Information
N/A
Vulnerability Type
N/A