CVE-2024-8770
📋 TL;DR
A Cross-Site Scripting (XSS) vulnerability in GitHub Enterprise Server's repository transfer feature allows attackers to inject malicious scripts that can steal sensitive user information through social engineering. This affects all organizations using GitHub Enterprise Server before the patched versions. Attackers could potentially compromise user accounts and access private data.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, gain full access to the GitHub Enterprise Server instance, exfiltrate all source code and sensitive data, and potentially compromise downstream systems.
Likely Case
Attackers steal session cookies or authentication tokens from users, gaining unauthorized access to repositories, sensitive data, and performing actions as compromised users.
If Mitigated
With proper Content Security Policy (CSP) headers and input validation, the impact is limited to potential data leakage from the specific vulnerable page only.
🎯 Exploit Status
Exploitation requires social engineering to trick users into interacting with malicious content. The vulnerability was discovered through GitHub's bug bounty program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.10.17, 3.11.15, 3.12.9, 3.13.4, or 3.14.1
Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patched version from GitHub Enterprise. 3. Follow the upgrade instructions for your specific version. 4. Restart the server after upgrade completion.
🔧 Temporary Workarounds
Disable repository transfers
linuxTemporarily disable the repository transfer feature to prevent exploitation while planning the upgrade.
ghe-config app.repository-transfers.enabled false
ghe-config-apply
Implement Content Security Policy
allAdd strict CSP headers to mitigate XSS impact by restricting script execution.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads in repository transfer requests
- Educate users about phishing risks and implement mandatory security awareness training
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the management console or SSH. If version is below the patched versions listed, you are vulnerable.Check Version:
ssh admin@your-ghe-instance 'ghe-version'Verify Fix Applied:
After upgrade, verify the version shows one of: 3.10.17, 3.11.15, 3.12.9, 3.13.4, or 3.14.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual repository transfer activity
- Multiple failed authentication attempts following repository transfers
- Suspicious user agent strings in repository transfer logs
Network Indicators:
- Outbound connections to suspicious domains following repository transfer actions
- Unusual patterns in HTTP request headers for transfer endpoints
SIEM Query:
source="github-enterprise" AND (event="repository_transfer" OR endpoint="/repos/*/transfer") AND (user_agent CONTAINS "script" OR user_agent CONTAINS "<script>")🔗 References
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.17
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.15
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.9
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.4
- https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.1
