CVE-2024-1355

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15 are not affected as they contain the fix.

Description A command injection issue was identified in GitHub Enterprise Server, allowing an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. Exploitation required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This issue was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 3.12, update to version 3.11.5, 3.10.7, 3.9.10, or 3.8.15 to resolve the issue. As a temporary workaround, consider restricting access to the Management Console and the actions-console docker container to minimize the risk of exploitation.