CVE-2024-2469

An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.9
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.7
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.1
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.17
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.12

Configurations

No configuration.

History

No history.

Information

Published : 2024-03-20 23:15

Updated : 2024-03-21 12:58

NVD link : CVE-2024-2469

Mitre link : CVE-2024-2469

CVE.ORG link : CVE-2024-2469

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2024-2469", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-cna@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2024-03-20T23:15:07.430", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.9", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.7", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.1", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.17", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.12", "source": "product-cna@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution.\u00a0This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Un atacante con funci\u00f3n de administrador en GitHub Enterprise Server podr\u00eda obtener acceso ra\u00edz SSH mediante la ejecuci\u00f3n remota de c\u00f3digo. Esta vulnerabilidad afect\u00f3 a GitHub Enterprise Server versi\u00f3n 3.8.0 y superiores y se solucion\u00f3 en las versiones 3.8.17, 3.9.12, 3.10.9, 3.11.7 y 3.12.1. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty."}], "lastModified": "2024-03-21T12:58:51.093", "sourceIdentifier": "product-cna@github.com"}