Server-Side Request Forgery Vulnerability in GitHub Enterprise Server
CVE-2024-5746

7.6HIGH

Key Information:

Vendor: Github
Status: Github Enterprise Server
Vendor: CVE Published:; 20 June 2024

Summary

A significant Server-Side Request Forgery vulnerability was identified in the GitHub Enterprise Server, enabling attackers with Site Administrator privileges to execute arbitrary code on the affected server instance. This severe security flaw necessitates authenticated access through an account possessing Site Administrator status, exposing numerous GitHub Enterprise Server instances to potential exploitation. The issue affects all versions prior to 3.13, emphasizing the urgency for organizations to apply the latest patches provided in versions 3.12.5, 3.11.11, 3.10.13, and 3.9.16. This vulnerability was reported through the GitHub Bug Bounty program, reflecting the ongoing commitment to security within the GitHub ecosystem.

Affected Version(s)

GitHub Enterprise Server 3.9.0 <= 3.9.15

GitHub Enterprise Server 3.10.0 <= 3.10.12

GitHub Enterprise Server 3.11.0 <= 3.11.10

References

https://docs.github.com/en/[email protected]/admin/re...

https://docs.github.com/en/[email protected]/admin/r...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 20, 2024

Credit

r31n