CVE-2024-0200

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.8.13 GitHub Enterprise Server versions prior to 3.9.8 GitHub Enterprise Server versions prior to 3.10.5 GitHub Enterprise Server versions prior to 3.11.3 GitHub Enterprise Server versions prior to 3.12

Description An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection, allowing the execution of user-controlled methods and remote code execution. This issue could be exploited by an actor logged into an account on the GHES instance with the organization owner role. The vulnerability was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 3.8.13, update to version 3.8.13 or later. For GitHub Enterprise Server versions prior to 3.9.8, update to version 3.9.8 or later. For GitHub Enterprise Server versions prior to 3.10.5, update to version 3.10.5 or later. For GitHub Enterprise Server versions prior to 3.11.3, update to version 3.11.3 or later. For GitHub Enterprise Server versions prior to 3.12, update to version 3.12 or later.