CVE-2024-56321: 
GoCD Server vulnerability analysis and mitigation

GoCD is a continuous delivery server. A vulnerability was discovered in versions 18.9.0 through 24.4.0 (inclusive) that allows GoCD administrators to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts (GitHub Advisory).

The vulnerability stems from insufficient validation of post-backup script locations, allowing execution of scripts from sensitive locations on the GoCD server. The issue has been assigned a CVSS v3.1 base score of 3.8 (LOW) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-36 (Absolute Path Traversal) and CWE-20 (Improper Input Validation) (GitHub Advisory).

The impact of this vulnerability is considered limited in practice, as in most configurations a user who can log into the GoCD UI as an admin typically already has host administration permissions for the host/container that GoCD runs on to manage artifact storage and other service-level configurations. Additionally, GoCD admins already have the ability to configure and schedule pipeline tasks on all available GoCD agents, providing similar task execution capabilities (NVD).

The vulnerability has been fixed in GoCD version 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available for earlier versions (GoCD Release Notes).