GitHub Enterprise Server Path Collision Vulnerability
CVE-2024-10007

Currently unrated

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 7 November 2024

Summary

A vulnerability exists in GitHub Enterprise Server that could allow for a path collision and arbitrary code execution, potentially enabling an attacker with Enterprise Administrator access to escape container restrictions and escalate privileges to root. This issue impacts all versions of GitHub Enterprise Server prior to 3.15, but it has been addressed in fixed versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. The vulnerability was initially reported through the proactive GitHub Bug Bounty program, emphasizing the importance of ongoing vulnerability management in software development and deployment.

Affected Version(s)

Enterprise Server 3.11.0 <= 3.11.16

Enterprise Server 3.12.0 <= 3.12.10

References

https://docs.github.com/en/[email protected]/admin/r...

release-notes

https://docs.github.com/en/[email protected]/admin/r...

release-notes

https://docs.github.com/en/[email protected]/admin/r...

release-notes

Timeline

Vulnerability published
Nov 7, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

inspector-ambitious