CVE-2024-0507
published 2024-01-16CVE-2024-0507: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
65.80%
99.2th percentile
An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github | enterprise_server | < 3.8.13 | 3.8.13 |
| github | enterprise_server | >= 3.10.0 < 3.10.5 | 3.10.5 |
| github | enterprise_server | 3.10.0 – 3.10.4 | — |
| github | enterprise_server | >= 3.11.0 < 3.11.3 | 3.11.3 |
| github | enterprise_server | 3.11.0 – 3.11.2 | — |
| github | enterprise_server | 3.8.0 – 3.8.12 | — |
| github | enterprise_server | >= 3.9.0 < 3.9.8 | 3.9.8 |
| github | enterprise_server | 3.9.0 – 3.9.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/setup/settings/test/storage/actions"; http.request_body; content:"actions_storage"; fast_pattern; content:"s3_oidc"; within:10; content:"bucket_name"; within:17; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0507; classtype:attempted-admin; sid:2058204; rev:1;)
- →CVE-2024-0507 exploits a command injection in the Management Console via a POST to /setup/settings/test/storage/actions. The request body must contain 'actions_storage', followed within 10 bytes by 's3_oidc', and within 17 bytes by 'bucket_name'. The injected payload in the bucket_name field uses shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24). ↗
- →The vulnerability requires an authenticated Management Console user account with the editor role to exploit the command injection for privilege escalation. ↗
- →The Snort rule targets the URI /setup/settings/test/storage/actions with an exact URI body size of 36 bytes (bsize:36), which can be used as a precise length-based filter to reduce false positives. ↗
- ·The Snort/Suricata rule for CVE-2024-0507 (sid:2058204) requires TLS decryption to be effective, as indicated by the tls_state:TLSDecrypt metadata. Without SSL/TLS inspection, the rule will not fire on encrypted traffic. ↗
- ·CVE-2024-0507 affects all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13. Detection rules are only relevant for unpatched instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)
suricata·2024-12-12·CVSS 7.2
CVE-2024-0200 [HIGH] ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)
ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise Unsafe Reflection Information Leak Attempt (CVE-2024-0200)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/organizations/"; startswith; content:"/settings/actions/repository_items"; distance:0; content:"rid_key|3d|restore_objects"; fast_pattern; distance:0; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0200; classtype:attempted-admin; sid:2058205; rev:1; metadata:affected_product Github_Enterprise, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_12_12, cve CVE_2024_0200, dep
Suricata
ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)
suricata·2024-12-12·CVSS 6.5
CVE-2024-0507 [MEDIUM] ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)
ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Github Enterprise S3 OIDC Command Injection Attempt (CVE-2024-0507)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:36; content:"/setup/settings/test/storage/actions"; http.request_body; content:"actions_storage"; fast_pattern; content:"s3_oidc"; within:10; content:"bucket_name"; within:17; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,blog.convisoappsec.com/en/analysis-of-github-enterprise-vulnerabilities-cve-2024-0507-cve-2024-0200/; reference:cve,2024-0507; classtype:attempted-admin; sid:2058204; rev:1; metadata:affected_product Github_E
Nuclei
Github Enterprise Authenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-0200 [CRITICAL] Github Enterprise Authenticated Remote Code Execution
Github Enterprise Authenticated Remote Code Execution
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Template:
id: CVE-2024-0200
info:
name: Github Enterprise Authenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that co
https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13https://docs.github.com/en/[email protected]/admin/release-notes#3.9.8https://docs.github.com/en/[email protected]/admin/release-notes#3.10.5https://docs.github.com/en/[email protected]/admin/release-notes#3.11.3https://docs.github.com/en/[email protected]/admin/release-notes#3.8.13https://docs.github.com/en/[email protected]/admin/release-notes#3.9.8
2024-01-16
Published