Command injection vulnerability was identified in GitHub Enterprise Server that allowed privilege escalation in the Management Console
CVE-2024-3646

8HIGH

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 19 April 2024

Summary

A command injection vulnerability was discovered in GitHub Enterprise Server, which positions an attacker with editor privileges in the Management Console to obtain unauthorized admin SSH access. This critical flaw arises during the chat integration configuration process, enabling exploitation if the attacker can access the GitHub Enterprise Server instance with proper permissions. The vulnerability impacts all versions prior to 3.12 and was addressed in subsequent updates, namely versions 3.12.2, 3.11.8, 3.10.10, and 3.9.13. Effective measures include upgrading to the latest versions to mitigate risks associated with unauthorized access.

Affected Version(s)

Enterprise Server 3.9.0

Enterprise Server 3.9.0 < 3.9.13

Enterprise Server 3.10.0 < 3.10.10

References

https://docs.github.com/en/[email protected]/admin/re...

https://docs.github.com/en/[email protected]/admin/r...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 19, 2024

Credit

r31n