Server-Side Request Forgery Vulnerability in GitHub Enterprise Server
CVE-2024-5746

7.6HIGH

Key Information:

Vendor

Github
Status
Github Enterprise Server
Vendor
CVE Published:
20 June 2024

What is CVE-2024-5746?

A significant Server-Side Request Forgery vulnerability was identified in the GitHub Enterprise Server, enabling attackers with Site Administrator privileges to execute arbitrary code on the affected server instance. This severe security flaw necessitates authenticated access through an account possessing Site Administrator status, exposing numerous GitHub Enterprise Server instances to potential exploitation. The issue affects all versions prior to 3.13, emphasizing the urgency for organizations to apply the latest patches provided in versions 3.12.5, 3.11.11, 3.10.13, and 3.9.16. This vulnerability was reported through the GitHub Bug Bounty program, reflecting the ongoing commitment to security within the GitHub ecosystem.

Affected Version(s)

GitHub Enterprise Server 3.9.0 <= 3.9.15

GitHub Enterprise Server 3.10.0 <= 3.10.12

GitHub Enterprise Server 3.11.0 <= 3.11.10

References

https://docs.github.com/en/[email protected]/admin/re...
https://docs.github.com/en/[email protected]/admin/r...
https://docs.github.com/en/[email protected]/admin/r...

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

Credit

r31n
.