H3-2025-0034
GoCD Encryption Key Exposure in Pipeline Configuration
| Category | SECURITY_MISCONFIGURATION |
| Base Score | 3.0 |
Description
The vulnerability pertains to the exposure of GoCD encryption keys through misconfigured endpoints found in GoCD pipeline components. In certain versions of the GoCD server, an endpoint intended to retrieve business continuity cipher configurations (such as '/go/add-on/business-continuity/api/cipher.aes') is accessible without requiring proper authorization. This results in attackers being able to extract sensitive cryptographic material that is meant to secure the pipelines. When encryption keys are exposed, attackers can leverage the information to decrypt sensitive communications, manipulate pipelines, or even execute pre-authentication pipeline takeover scenarios. The risk is compounded by the fact that the vulnerability does not require complex exploits – a simple GET request to the specific URL with predictable patterns (i.e., a regular expression identifying a 32-character hex string) is sufficient for the attacker to retrieve the key. This exposure can eventually lead to unauthorized access to the system’s internals, highlighting a gap in the security configuration of the GoCD instance. Such disclosure can reveal broader misconfigurations impacting other sensitive areas, leading to scenarios where exposed keys may allow attackers to intercept, modify, or replay critical automated processes. Even if the resulting score is low due to limited access or specific attack vectors, the cumulative impact on system integrity and confidentiality is significant if left unmitigated.
Impact
Exploitation of this vulnerability may allow attackers to gain access to encryption keys that protect critical GoCD pipeline data. With such keys in hand, attackers have the potential to decrypt sensitive communication payloads, manipulate pipeline configurations, and potentially gain unauthorized access to the system. This, in turn, can facilitate further attacks such as pipeline takeover, compromise of internal data, and broader system intrusions that could destabilize continuous integration and delivery processes.