CVE-2024-0200

moderate-risk

Published 2024-01-16

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. This vulnerability was reported via the GitHub Bug Bounty program.

Do I need to act?

70.8% chance of exploitation in next 30 days

EPSS score — higher than 29% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / HIGH complexity

Affected Products (1)

Enterprise Server

Affected Vendors

Github

References (8)

Release Notes https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5

Release Notes https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3

Release Notes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13

Release Notes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.8

Release Notes https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5

Release Notes https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3

Release Notes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13

Release Notes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.8

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal