CVE-2024-0200
published 2024-01-16CVE-2024-0200: An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.73%
99.3th percentile
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. This vulnerability was reported via the GitHub Bug Bounty program.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github | enterprise_server | >= 3.10.0 < 3.10.5 | 3.10.5 |
| github | enterprise_server | >= 3.11.0 < 3.11.3 | 3.11.3 |
| github | enterprise_server | >= 3.8.0 < 3.8.13 | 3.8.13 |
| github | enterprise_server | >= 3.9.0 < 3.9.8 | 3.9.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v3/user/orgs
url/api/v3/orgs/{org_name}/memberships/{username}
url/api/v3/orgs/{org_name}/repos
url/organizations/{org_name}/settings/actions/repository_items?page=1&rid_key=nw_fsck
cookie_gh_render={{final_payload}} (serialized ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy payload)
path/organizations/*/settings/actions/repository_items
otherENTERPRISE_SESSION_SECRET
bytes
%04%08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy%09:%0e@instanceo:%1dAqueduct::Worker::Worker
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/organizations/"; startswith; content:"/settings/actions/repository_items"; distance:0; content:"rid_key|3d|restore_objects"; fast_pattern; distance:0; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0200; classtype:attempted-admin; sid:2058205; rev:1; metadata:affected_product Github_Enterprise, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_12, cve CVE_2024_0200, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit chain begins with GET /api/v3/user/orgs to enumerate org membership, then checks for 'admin' role in org membership API response before proceeding.
- →The exploit extracts ENTERPRISE_SESSION_SECRET from the repository_items endpoint using the regex pattern '"ENTERPRISE_SESSION_SECRET"=>"([^"]+?)"' in the response body.
- →The malicious payload is delivered via the _gh_render cookie as a base64+HMAC-signed Ruby Marshal object (ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy wrapping Aqueduct::Worker::Worker). Detect anomalously large or structurally unusual _gh_render cookie values.
- →Snort/Suricata SID 2058205 detects the exploit's reconnaissance phase: GET to /organizations/*/settings/actions/repository_items with rid_key=restore_objects query parameter.
- →Successful exploitation results in an HTTP 500 response from the server combined with an outbound DNS/HTTP callback (OOB interaction). Correlate 500 errors on the root path '/' with anomalous _gh_render cookies.
- →The exploit uses HMAC-SHA1 over the base64-encoded Marshal payload with the extracted ENTERPRISE_SESSION_SECRET to forge a valid _gh_render cookie (format: base64_payload--hmac_digest).
- →Shodan/FOFA queries can identify exposed GitHub Enterprise instances as targets: Shodan 'title:"GitHub Enterprise"', FOFA 'app="Github-Enterprise"'.
- ·Exploitation requires the attacker to be authenticated with an organization owner (admin) role on the GHES instance — unauthenticated exploitation is not possible. ↗
- ·The Nuclei template requires valid credentials (username/password) to be supplied as variables; it performs a full authenticated session flow before delivering the payload.
- ·GitHub rotated all potentially exposed credentials (commit signing key, GitHub Actions, Codespaces, and Dependabot customer encryption keys) after the vulnerability was reported; customers using those keys must import new public keys. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)
suricata·2024-12-12·CVSS 7.2
CVE-2024-0200 [HIGH] ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)
ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/organizations/"; startswith; content:"/settings/actions/repository_items"; distance:0; content:"rid_key|3d|restore_objects"; fast_pattern; distance:0; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0200; classtype:attempted-admin; sid:2058205; rev:1; metadata:affected_product Github_Enterprise, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_12, cve CVE_2024_0200, dep
Suricata
ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)
suricata·2024-12-12·CVSS 6.5
CVE-2024-0507 [MEDIUM] ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)
ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/setup/settings/test/storage/actions"; http.request_body; content:"actions_storage"; fast_pattern; content:"s3_oidc"; within:10; content:"bucket_name"; within:17; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0507; classtype:attempted-admin; sid:2058204; rev:1; metadata:affected_product Github_E
Nuclei
Github Enterprise Authenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-0200 [CRITICAL] Github Enterprise Authenticated Remote Code Execution
Github Enterprise Authenticated Remote Code Execution
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Template:
id: CVE-2024-0200
info:
name: Github Enterprise Authenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that co
Bleepingcomputer
GitHub rotates keys to mitigate impact of credential-exposing flaw
blogs_bleepingcomputer·2024-01-16·CVSS 7.2
CVE-2024-0200 [HIGH] GitHub rotates keys to mitigate impact of credential-exposing flaw
## GitHub rotates keys to mitigate impact of credential-exposing flaw
## Sergiu Gatlan
GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables.
This unsafe reflection vulnerability (tracked as CVE-2024-0200 ) can allow attackers to gain remote code execution on unpatched servers.
It was also patched on Tuesday in GitHub Enterprise Server (GHES) versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3, with the company urging all customers to install the security update as soon as possible.
While allowing threat actors to gain access to environment variables of a production container, including credentials, successful exploitation requires authentication with an organization owne
Greynoiseio
NoiseLetter June 2025
blogs_greynoiseio
NoiseLetter June 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13https://docs.github.com/en/[email protected]/admin/release-notes#3.9.8https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13https://docs.github.com/en/[email protected]/admin/release-notes#3.9.8
2024-01-16
Published