Lucene search

[email protected]NVD:CVE-2024-1372

HistoryFeb 13, 2024 - 7:15 p.m.

CVE-2024-1372

2024-02-1319:15:10

CWE-20

CWE-77

[email protected]

web.nvd.nist.gov

github

command injection

admin ssh access

saml settings

vulnerability

management console

github bug bounty

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

26.7%

JSON

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program https://bounty.github.com .

Affected configurations

NVD

Node

githubenterprise_serverRange<3.8.15

githubenterprise_serverRange3.9.0–3.9.10

githubenterprise_serverRange3.10.0–3.10.7

githubenterprise_serverRange3.11.0–3.11.5

References

docs.github.com/en/[email protected]/admin/release-notes#3.10.7

docs.github.com/en/[email protected]/admin/release-notes#3.11.5

docs.github.com/en/[email protected]/admin/release-notes#3.8.15

docs.github.com/en/[email protected]/admin/release-notes#3.9.10

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

26.7%

JSON

Related for NVD:CVE-2024-1372

cve1 cvelist1 prion1