Unsafe Reflection Vulnerability in GitHub Enterprise Server Could Lead to Remote Code Execution

CVE-2024-0200
7.2HIGH

Key Information

Vendor
GitHub
Status
Enterprise Server
Vendor
CVE Published:
16 January 2024

Badges

📰 News Worthy

Summary

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection, execution of user-controlled methods, and remote code execution. The vulnerability required an actor to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. GitHub took proactive measures by rotating sensitive keys to combat the high-severity vulnerability, which had a 7.2 Common Vulnerability Scoring System (CVSS) score. There were no clear indications of the vulnerability being exploited in the wild at the time of the security measure implementations. Additionally, GitHub also resolved another high-severity bug that might allow privilege escalation through command injection. These incidents highlight the importance of continuous vigilance and readiness in software security across the tech industry.

Affected Version(s)

Enterprise Server <= 3.8.0

Enterprise Server < 3.8.13

Enterprise Server < 3.9.8

News Articles

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • First article discovered by The Hacker News

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database3 News Article(s)

Credit

Ngo Wei Lin of STAR Labs
.