cbcvebase.
CVE-2024-0507
published 2024-01-16

CVE-2024-0507: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
65.80%
99.2th percentile
An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program.

Affected

8 ranges
VendorProductVersion rangeFixed in
githubenterprise_server< 3.8.133.8.13
githubenterprise_server>= 3.10.0 < 3.10.53.10.5
githubenterprise_server3.10.0 – 3.10.4
githubenterprise_server>= 3.11.0 < 3.11.33.11.3
githubenterprise_server3.11.0 – 3.11.2
githubenterprise_server3.8.0 – 3.8.12
githubenterprise_server>= 3.9.0 < 3.9.83.9.8
githubenterprise_server3.9.0 – 3.9.7

Detection & IOCsextracted from sources · hover to see the quote

path/setup/settings/test/storage/actions
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/setup/settings/test/storage/actions"; http.request_body; content:"actions_storage"; fast_pattern; content:"s3_oidc"; within:10; content:"bucket_name"; within:17; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0507; classtype:attempted-admin; sid:2058204; rev:1;)
  • CVE-2024-0507 exploits a command injection in the Management Console via a POST to /setup/settings/test/storage/actions. The request body must contain 'actions_storage', followed within 10 bytes by 's3_oidc', and within 17 bytes by 'bucket_name'. The injected payload in the bucket_name field uses shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerability requires an authenticated Management Console user account with the editor role to exploit the command injection for privilege escalation.
  • The Snort rule targets the URI /setup/settings/test/storage/actions with an exact URI body size of 36 bytes (bsize:36), which can be used as a precise length-based filter to reduce false positives.
  • ·The Snort/Suricata rule for CVE-2024-0507 (sid:2058204) requires TLS decryption to be effective, as indicated by the tls_state:TLSDecrypt metadata. Without SSL/TLS inspection, the rule will not fire on encrypted traffic.
  • ·CVE-2024-0507 affects all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13. Detection rules are only relevant for unpatched instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.