CVE-2024-0200 HIGH

CVE-2024-0200: Unsafe Reflection in Github Enterprise Server leading to Command Injection

Vendor Github
Product Enterprise Server
Weakness CWE-470
Published January 16, 2024
Last update August 1, 2024

CVSS base score

7.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.13, 3.9.8, 3.10.5, and 3.11.3. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

January 16, 2024 CVE published
August 1, 2024 Record updated