Command Injection Vulnerability Patched in GitHub Enterprise Server

CVECVE-2024-1355
CVSScvssV3_1: 9.1
SourceCVE-2024-1355

GitHub Enterprise Server, which is GitHub’s on-premise version used by companies for private code hosting, had a serious command injection vulnerability that allowed attackers to gain admin access.

The vulnerability was present in the actions-console docker container used for configuring services. An attacker with only editor access in the management console could craft a malicious URL that would execute commands with root privileges on the server.

This meant that anyone with access to the management console interface, like a collaborator, could potentially exploit it to take full control of the GitHub Enterprise instance and access any private code and data.

Luckily, GitHub was promptly notified about this issue through their bug bounty program and they released patches for all supported versions to fix the command injection flaw.

If you use GitHub Enterprise Server, it’s important to always keep your installation up to date with the latest patches to protect against vulnerabilities like this. Regularly reviewing access permissions and monitoring logs for any anomalies can also help enhance security.

Staying vigilant about application updates is key to defend against attacks on software supply chains and prevent unauthorized access to important systems and proprietary code.

References