Unsafe Reflection Vulnerability in GitHub Enterprise Server Could Lead to Remote Code Execution

CVE-2024-0200

Summary

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection, execution of user-controlled methods, and remote code execution. The vulnerability required an actor to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. GitHub took proactive measures by rotating sensitive keys to combat the high-severity vulnerability, which had a 7.2 Common Vulnerability Scoring System (CVSS) score. There were no clear indications of the vulnerability being exploited in the wild at the time of the security measure implementations. Additionally, GitHub also resolved another high-severity bug that might allow privilege escalation through command injection. These incidents highlight the importance of continuous vigilance and readiness in software security across the tech industry.

News Articles

Mageni

CVE-2024-0200

CVE-2024-0200 - Mageni

CVE-2024-0200 An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the exe

9 months ago

isp.page

CVE-2024-0200

Github Bolsters Security with Key Rotation Amid Vulnerability Concerns

Github Bolsters Security with Key Rotation Amid Vulnerability Concerns - isp.page

1 year ago

The Hacker News

CVE-2024-0200

GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials

A high-severity bug (CVE-2024-0200) could've allowed attackers to access credentials in production containers on GitHub.

1 year ago

References