cbcvebase.
CVE-2017-18365
published 2019-03-28

CVE-2017-18365: The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary…

PriorityP187critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.40%
97.3th percentile
The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.

Affected

2 ranges
VendorProductVersion rangeFixed in
githubgithub
githubgithub>= 2.8.0 < 2.8.72.8.7

Detection & IOCsextracted from sources · hover to see the quote

cookiecrafted cookie signed with hard-coded enterprise session secret
  • The session secret is hard-coded and present in GitHub Enterprise source code; any session cookie signed with this known static secret should be treated as suspicious and potentially malicious.
  • Monitor HTTP requests to the GitHub Enterprise Management Console for inbound cookies containing serialized Ruby Marshal data (magic bytes \x04\x08), which would indicate an exploitation attempt.
  • Unauthenticated requests to the Management Console endpoint carrying a session cookie should be flagged; exploitation requires no prior authentication.
  • A Metasploit module exists for this vulnerability targeting GitHub Enterprise versions 2.8.0–2.8.6 via linux/http; presence of this module in use indicates active exploitation attempts.
  • ·The hard-coded session secret is embedded in the GitHub Enterprise product source code and is identical across all affected deployments (versions 2.8.0–2.8.6), making every instance equally vulnerable without any per-installation variation.
  • ·Exploitation was confirmed against version 2.8.0 specifically in the Metasploit module, though the vulnerability range spans 2.8.0 through 2.8.6.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.