cbcvebase.
CVE-2024-1355
published 2024-02-13

CVE-2024-1355: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain…

PriorityP260critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
2.36%
81.7th percentile
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program.

Affected

5 ranges
VendorProductVersion rangeFixed in
githubenterprise_server< 3.8.153.8.15
githubenterprise_server>= 3.10.0 < 3.10.73.10.7
githubenterprise_server>= 3.11.0 < 3.11.53.11.5
githubenterprise_server>= 3.8.0 < 3.8.153.8.15
githubenterprise_server>= 3.9.0 < 3.9.103.9.10

Detection & IOCsextracted from sources · hover to see the quote

  • Command injection occurs when an attacker with Management Console editor role sets a service URL in the actions-console docker container, resulting in admin SSH access to the appliance
  • Monitor for unexpected SSH sessions to the GitHub Enterprise Server appliance originating from or associated with the actions-console docker container process
  • Audit Management Console activity for editor-role accounts modifying service URL fields, which is the injection point for this vulnerability
  • ·Vulnerability affects all GitHub Enterprise Server versions prior to 3.12; patched versions are 3.11.5, 3.10.7, 3.9.10, and 3.8.15 — detection efforts should prioritize unpatched instances
  • ·Exploitation requires two preconditions: network access to the GHES instance AND a Management Console account with the editor role — both must be present for the attack chain to succeed

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.