CVE-2024-56320: 
GoCD Server vulnerability analysis and mitigation

CVE-2024-56320 affects GoCD, a continuous delivery server, in versions prior to 24.5.0. The vulnerability stems from improper authorization of access to the admin 'Configuration XML' UI feature and its associated API. This security issue was discovered in January 2025 and was patched in GoCD version 24.5.0 (GitHub Advisory, Security Online).

The vulnerability has been assigned a Critical severity rating with a CVSS v4.0 base score of 9.4. The attack requires network access (AV:N), has low attack complexity (AC:L), requires no attack requirements (AT:N), needs low privileges (PR:L), and requires no user interaction (UI:N). The vulnerability impacts both vulnerable and subsequent systems with high severity across confidentiality, integrity, and availability (VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) (GitHub Advisory).

A malicious insider or authenticated GoCD user with an existing account can exploit this vulnerability to access information intended only for GoCD administrators or escalate their privileges to that of a GoCD admin in a persistent manner. The vulnerability cannot be exploited without prior authentication/login (GitHub Advisory, Security Online).

Users are strongly recommended to upgrade to GoCD version 24.5.0 which contains the fix. For those unable to upgrade immediately, temporary mitigation measures include: using a reverse proxy, WAF, or similar security mechanism to block external access to paths with the /go/rails/ prefix (this causes no loss of functionality), and reducing the GoCD user base to a more trusted set of users, including temporarily disabling plugins such as the guest-login-plugin (GitHub Advisory, Security Online).