Code Injection Vulnerability in GitHub Enterprise Server
CVE-2024-10001

7.1HIGH

Key Information:

Vendor
Github
Status
Enterprise Server
Vendor
CVE Published:
29 January 2025

Summary

A code injection vulnerability has been identified in GitHub Enterprise Server that permits attackers to inject malicious code through the identity property in message handling. This flaw can lead to the exfiltration of sensitive data, including authentication tokens, by manipulating the Document Object Model (DOM). To launch the attack, victims must be logged into GitHub and interact with a specially crafted webpage controlled by attackers, containing a hidden iframe. The vulnerability arises from improper validation sequences, where the origin check is conducted after accepting the user-controlled identity property. Affected versions include all GitHub Enterprise Server instances prior to the specified releases, prompting users to update to safer versions.

Affected Version(s)

Enterprise Server 3.11.0 <= 3.11.16

Enterprise Server 3.11.0 <= 3.11.16

Enterprise Server 3.12.0 <= 3.12.10

References

https://docs.github.com/en/[email protected]/admin/r...
release-notes
https://docs.github.com/en/[email protected]/admin/r...
release-notes
https://docs.github.com/en/[email protected]/admin/r...
release-notes

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matan Berson (matanber)
Johan Carlsson (joaxcar)
.