CVE-2024-1374 – A command injection vulnerability in GitHub Ent... (How to Fix)

Q: What is the severity of CVE-2024-1374?

CVE-2024-1374 has a CVSS score of 9.1 (CRITICAL). A command injection vulnerability in GitHub Enterprise Server allows authenticated users with editor role in the Management Console to execute arbitrary commands and gain admin SSH access when configuring audit log forwarding. This affects all GitHub Enterprise Server instances prior to version 3.12. Attackers need both access to the instance and editor privileges in the Management Console.

📋 TL;DR

A command injection vulnerability in GitHub Enterprise Server allows authenticated users with editor role in the Management Console to execute arbitrary commands and gain admin SSH access when configuring audit log forwarding. This affects all GitHub Enterprise Server instances prior to version 3.12. Attackers need both access to the instance and editor privileges in the Management Console.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.12

Operating Systems: Linux-based appliance

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Management Console access with editor role; not exploitable by regular GitHub users.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub Enterprise Server appliance with admin SSH access, allowing data exfiltration, code repository manipulation, and lateral movement within the environment.

🟠

Likely Case

Privileged escalation from editor to admin, enabling unauthorized access to sensitive data and system configuration.

🟢

If Mitigated

Limited impact due to proper access controls and monitoring, with only authorized users having Management Console access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with editor role in Management Console; command injection occurs via nomad templates in audit log forwarding configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.5, 3.10.7, 3.9.10, or 3.8.15

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Upgrade to patched version (3.11.5, 3.10.7, 3.9.10, or 3.8.15). 3. Follow GitHub's upgrade documentation for your version. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Management Console Access

all

Limit Management Console access to only essential administrators; remove editor roles from non-essential users.

Disable Audit Log Forwarding

all

Temporarily disable audit log forwarding configuration if not required.

🧯 If You Can't Patch

Implement strict access controls to Management Console; only grant editor role to trusted administrators.
Monitor Management Console access logs and audit log configuration changes for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check GitHub Enterprise Server version via Management Console or SSH: if version is below 3.12 and not one of the patched versions (3.11.5, 3.10.7, 3.9.10, 3.8.15), you are vulnerable.

Check Version:

ssh admin@your-ghes-instance 'cat /etc/github-enterprise-version'

Verify Fix Applied:

After patching, verify version shows 3.11.5, 3.10.7, 3.9.10, 3.8.15 or higher in Management Console or via SSH.

📡 Detection & Monitoring

Log Indicators:

Unusual audit log forwarding configuration changes
SSH access from unexpected users or IPs
Commands executed via Management Console with editor role

Network Indicators:

Unexpected SSH connections to GitHub Enterprise Server appliance

SIEM Query:

source="github-enterprise" AND (event="audit_log_config_change" OR event="ssh_login")

📊 Metadata

CVE ID: CVE-2024-1374

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: February 13, 2024

Last Updated: November 21, 2024

🔗 References

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15 Release Notes,Vendor Advisory
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1374, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Management Console Access

Disable Audit Log Forwarding

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities