cbcvebase.
CVE-2024-0200
published 2024-01-16

CVE-2024-0200: An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.73%
99.3th percentile
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. This vulnerability was reported via the GitHub Bug Bounty program.

Affected

4 ranges
VendorProductVersion rangeFixed in
githubenterprise_server>= 3.10.0 < 3.10.53.10.5
githubenterprise_server>= 3.11.0 < 3.11.33.11.3
githubenterprise_server>= 3.8.0 < 3.8.133.8.13
githubenterprise_server>= 3.9.0 < 3.9.83.9.8

Detection & IOCsextracted from sources · hover to see the quote

url/api/v3/user/orgs
url/api/v3/orgs/{org_name}/memberships/{username}
url/api/v3/orgs/{org_name}/repos
url/organizations/{org_name}/settings/actions/repository_items?page=1&rid_key=nw_fsck
cookie_gh_render={{final_payload}} (serialized ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy payload)
path/organizations/*/settings/actions/repository_items
otherENTERPRISE_SESSION_SECRET
bytes
%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/organizations/"; startswith; content:"/settings/actions/repository_items"; distance:0; content:"rid_key|3d|restore_objects"; fast_pattern; distance:0; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0200; classtype:attempted-admin; sid:2058205; rev:1; metadata:affected_product Github_Enterprise, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_12, cve CVE_2024_0200, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit chain begins with GET /api/v3/user/orgs to enumerate org membership, then checks for 'admin' role in org membership API response before proceeding.
  • The exploit extracts ENTERPRISE_SESSION_SECRET from the repository_items endpoint using the regex pattern '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"' in the response body.
  • The malicious payload is delivered via the _gh_render cookie as a base64+HMAC-signed Ruby Marshal object (ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy wrapping Aqueduct::Worker::Worker). Detect anomalously large or structurally unusual _gh_render cookie values.
  • Snort/Suricata SID 2058205 detects the exploit's reconnaissance phase: GET to /organizations/*/settings/actions/repository_items with rid_key=restore_objects query parameter.
  • Successful exploitation results in an HTTP 500 response from the server combined with an outbound DNS/HTTP callback (OOB interaction). Correlate 500 errors on the root path '/' with anomalous _gh_render cookies.
  • The exploit uses HMAC-SHA1 over the base64-encoded Marshal payload with the extracted ENTERPRISE_SESSION_SECRET to forge a valid _gh_render cookie (format: base64_payload--hmac_digest).
  • Shodan/FOFA queries can identify exposed GitHub Enterprise instances as targets: Shodan 'title:"GitHub Enterprise"', FOFA 'app="Github-Enterprise"'.
  • ·Exploitation requires the attacker to be authenticated with an organization owner (admin) role on the GHES instance — unauthenticated exploitation is not possible.
  • ·The Nuclei template requires valid credentials (username/password) to be supplied as variables; it performs a full authenticated session flow before delivering the payload.
  • ·GitHub rotated all potentially exposed credentials (commit signing key, GitHub Actions, Codespaces, and Dependabot customer encryption keys) after the vulnerability was reported; customers using those keys must import new public keys.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.