Unsafe Reflection Vulnerability in GitHub Enterprise Server Could Lead to Remote Code Execution
CVE-2024-0200
Key Information
- Vendor
- GitHub
- Status
- Enterprise Server
- Vendor
- CVE Published:
- 16 January 2024
Badges
Summary
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection, execution of user-controlled methods, and remote code execution. The vulnerability required an actor to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. GitHub took proactive measures by rotating sensitive keys to combat the high-severity vulnerability, which had a 7.2 Common Vulnerability Scoring System (CVSS) score. There were no clear indications of the vulnerability being exploited in the wild at the time of the security measure implementations. Additionally, GitHub also resolved another high-severity bug that might allow privilege escalation through command injection. These incidents highlight the importance of continuous vigilance and readiness in software security across the tech industry.
Affected Version(s)
Enterprise Server <= 3.8.0
Enterprise Server < 3.8.13
Enterprise Server < 3.9.8
News Articles
CVE-2024-0200 - Mageni
CVE-2024-0200 An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the exe
8 months ago
Github Bolsters Security with Key Rotation Amid Vulnerability Concerns
Github Bolsters Security with Key Rotation Amid Vulnerability Concerns - isp.page
11 months ago
GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials
A high-severity bug (CVE-2024-0200) could've allowed attackers to access credentials in production containers on GitHub.
11 months ago
Refferences
EPSS Score
6% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved