CVE-2024-0507

moderate-risk

Published 2024-01-16

An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program.

Do I need to act?

72.9% chance of exploitation in next 30 days

EPSS score — higher than 27% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Enterprise Server

Affected Vendors

Github

References (8)

Release Notes https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5

Release Notes https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3

Release Notes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13

Release Notes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.8

Release Notes https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5

Release Notes https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3

Release Notes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13

Release Notes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.8

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 19/34 · Moderate

Exposure 5/34 · Minimal