Lucene search

[email protected]CVE-2024-1369

HistoryFeb 13, 2024 - 7:15 p.m.

CVE-2024-1369

2024-02-1319:15:10

CWE-77

CWE-20

[email protected]

web.nvd.nist.gov

cve

2024

1369

command injection

vulnerability

github enterprise server

admin ssh access

bug bounty program

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.7%

JSON

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

Affected configurations

Vulners

NVD

Node

githubenterprise_serverRange3.8.0–3.8.15

githubenterprise_serverRange3.9.0–3.9.10

githubenterprise_serverRange3.10.0–3.10.7

githubenterprise_serverRange3.11.0–3.11.5

VendorProductVersionCPE
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Enterprise Server",
    "vendor": "GitHub",
    "versions": [
      {
        "changes": [
          {
            "at": "3.8.15",
            "status": "unaffected"
          }
        ],
        "lessThan": "3.8.15",
        "status": "affected",
        "version": "3.8.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.9.10",
            "status": "unaffected"
          }
        ],
        "lessThan": "3.9.10",
        "status": "affected",
        "version": "3.9.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.10.7",
            "status": "unaffected"
          }
        ],
        "lessThan": "3.10.7",
        "status": "affected",
        "version": "3.10.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.11.5",
            "status": "unaffected"
          }
        ],
        "lessThan": "3.11.5",
        "status": "affected",
        "version": "3.11.0",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "3.12"
      }
    ]
  }
]

References

docs.github.com/en/[email protected]/admin/release-notes#3.10.7

docs.github.com/en/[email protected]/admin/release-notes#3.11.5

docs.github.com/en/[email protected]/admin/release-notes#3.8.15

docs.github.com/en/[email protected]/admin/release-notes#3.9.10

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.7%

JSON

Related for CVE-2024-1369

prion1 cvelist1 nvd1