CVE-2024-1082

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.8.0 through 3.8.14 GitHub Enterprise Server versions 3.9.0 through 3.9.9 GitHub Enterprise Server versions 3.10.0 through 3.10.6 GitHub Enterprise Server versions 3.11.0 through 3.11.4

Description: A path traversal vulnerability was identified in GitHub Enterprise Server that allows an attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty program.

Recommendations: For GitHub Enterprise Server versions 3.8.0 through 3.8.14, update to version 3.8.15. For GitHub Enterprise Server versions 3.9.0 through 3.9.9, update to version 3.9.10. For GitHub Enterprise Server versions 3.10.0 through 3.10.6, update to version 3.10.7. For GitHub Enterprise Server versions 3.11.0 through 3.11.4, update to version 3.11.5. For GitHub Enterprise Server versions prior to 3.8.0, update to a fixed version. As a temporary workaround, consider restricting access to the GitHub Pages site to minimize the risk of exploitation.