Command Injection Vulnerability Patched in GitHub Enterprise Server – Protect Your Code Repository

CVECVE-2024-1378
CVSScvssV3_1: 9.1
SourceCVE-2024-1378

GitHub Enterprise Server is a popular tool used by many companies to host private code repositories. Unfortunately, a command injection vulnerability was discovered that could allow an attacker to gain administrative access to servers running older versions of GitHub Enterprise.

The vulnerability resided in the SMTP configuration section of the Management Console. An attacker with editor access could craft a malicious command and have it executed with root privileges, essentially gaining full control over the server. This would give them access to view, download or modify any code stored in private repositories on that server.

Luckily, GitHub was notified and quickly patched the issue in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15 of GitHub Enterprise Server. If you are running an older version, it is highly recommended to immediately update to the latest version to protect your code from potential exploitation.

Command injection vulnerabilities can be serious as they allow an attacker to run arbitrary commands on the system. Always make sure your software is up to date to prevent hackers from taking advantage of known issues. And be careful when configuring services that interact with the operating system like SMTP.

References