CVE-2020-10519
📋 TL;DR
CVE-2020-10519 is a remote code execution vulnerability in GitHub Enterprise Server that allows authenticated users with GitHub Pages creation permissions to execute arbitrary commands on the server. The vulnerability occurs due to insufficient restrictions on user-controlled parser configurations during GitHub Pages site builds. This affects organizations running vulnerable versions of GitHub Enterprise Server.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
Github by Github
Github by Github
Github by Github
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the GitHub Enterprise Server instance, allowing attackers to access source code, user credentials, modify repositories, and pivot to internal network resources.
Likely Case
Unauthorized access to sensitive repository data, credential theft, and potential lateral movement within the organization's development infrastructure.
If Mitigated
Limited impact due to strict access controls and monitoring, with only authorized users potentially exploiting the vulnerability within their permission scope.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability was discovered through GitHub's bug bounty program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.22.7, 2.21.15, or 2.20.24
Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patch version from GitHub Enterprise. 3. Follow the upgrade instructions for your deployment method (VMware, Hyper-V, AWS, Azure, or GCP). 4. Apply the update and restart the instance.
🔧 Temporary Workarounds
Restrict GitHub Pages Access
allTemporarily disable or restrict GitHub Pages creation permissions to only essential users
🧯 If You Can't Patch
- Implement strict access controls for GitHub Pages creation permissions
- Monitor GitHub Pages build logs for suspicious activity and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH into the appliance and run 'ghe-version'Check Version:
ssh admin@your-ghe-instance 'ghe-version'Verify Fix Applied:
Verify the version is 2.22.7, 2.21.15, or 2.20.24 or later using 'ghe-version' command📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub Pages build activity
- Suspicious parser configuration changes
- Unexpected command execution in build logs
Network Indicators:
- Unusual outbound connections from GitHub Enterprise Server during builds
SIEM Query:
source="github-enterprise" AND (event="pages_build" OR event="pages_deploy") AND (config contains suspicious patterns)🔗 References
- https://docs.github.com/en/enterprise-server%402.20/admin/release-notes#2.20.24
- https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.15
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.7
- https://docs.github.com/en/enterprise-server%402.20/admin/release-notes#2.20.24
- https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.15
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.7
