CVE-2024-1372 Overview
CVE-2024-1372 is a command injection vulnerability in GitHub Enterprise Server (GHES) that allows an attacker with the Management Console editor role to gain administrative SSH access to the underlying appliance. The flaw resides in the SAML configuration workflow, where attacker-controlled input is passed to a shell context without proper sanitization. Successful exploitation grants full control of the appliance, including access to repositories, secrets, and integrations hosted by the GHES instance. GitHub fixed the issue in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. The vulnerability was reported through the GitHub Bug Bounty program.
Critical Impact
An authenticated Management Console editor can escalate to root-level SSH access on the GitHub Enterprise Server appliance, compromising all hosted code, credentials, and CI/CD pipelines.
Affected Products
- GitHub Enterprise Server versions prior to 3.8.15
- GitHub Enterprise Server 3.9.x prior to 3.9.10, 3.10.x prior to 3.10.7, and 3.11.x prior to 3.11.5
- All GHES deployments where the Management Console editor role is delegated to non-administrative users
Discovery Timeline
- 2024-02-13 - CVE-2024-1372 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-1372
Vulnerability Analysis
The vulnerability is a command injection flaw [CWE-77] compounded by improper input validation [CWE-20] in the GitHub Enterprise Server Management Console. When an editor configures Security Assertion Markup Language (SAML) authentication settings, one or more fields are concatenated into a shell command executed on the appliance. Because the input is not sanitized or parameterized, an attacker can inject shell metacharacters to execute arbitrary operating system commands. The commands run in a privileged context that has the ability to modify the SSH authorized keys and service configuration on the appliance.
This is a post-authentication issue, but the editor role is intentionally less privileged than the administrator role. Treating editor accounts as a trust boundary, the flaw represents a vertical privilege escalation from web-tier editor to OS-level administrator on the appliance.
Root Cause
The root cause is unsafe handling of user-supplied SAML configuration fields. The Management Console passes these values into a shell command without escaping or using an exec-style API that separates arguments from the command string. Any field containing characters such as backticks, semicolons, $(), or pipes is interpreted by the shell rather than treated as data.
Attack Vector
An attacker first obtains credentials for a Management Console account with the editor role. The attacker then navigates to the SAML settings page and submits a crafted value in a SAML configuration field. When the configuration is saved or validated, the appliance executes the injected command. The attacker writes an SSH public key into the administrator account's authorized_keys file or executes commands directly, then connects over SSH to the appliance with administrative privileges. Refer to the GitHub Release Notes 3.11.5 for vendor remediation guidance.
Detection Methods for CVE-2024-1372
Indicators of Compromise
- Unexpected modifications to /home/admin/.ssh/authorized_keys or other SSH key files on the GHES appliance
- Management Console audit log entries showing SAML configuration changes by editor-role accounts followed by SSH logins
- New or anomalous SSH sessions to the appliance from previously unseen source IP addresses
- Shell metacharacters (;, |, `, $() appearing in stored SAML configuration values
Detection Strategies
- Review GHES audit logs for business.update_saml_provider_settings and related Management Console events correlated with editor-role principals
- Hunt for process executions on the appliance spawned by the Management Console service that do not match known administrative workflows
- Inspect SAML configuration values for unexpected shell syntax that would not occur in legitimate identity provider metadata URLs or certificates
Monitoring Recommendations
- Forward GHES audit logs and appliance SSH authentication logs to a centralized SIEM with alerting on privileged role changes and SSH key file writes
- Alert on any successful SSH login to the GHES appliance that is not preceded by an approved change ticket
- Continuously monitor the membership of the Management Console editor role and require approval workflows for additions
How to Mitigate CVE-2024-1372
Immediate Actions Required
- Upgrade GitHub Enterprise Server to 3.11.5, 3.10.7, 3.9.10, 3.8.15, or any later release in those branches
- Audit and minimize accounts assigned the Management Console editor role; remove access for users who do not require it
- Rotate SSH host keys, administrator credentials, and any secrets stored on the appliance if compromise is suspected
- Review SAML provider configuration values for unexpected content and reset them from a known-good source
Patch Information
GitHub released fixes in GHES 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Versions in the 3.12 branch are not affected. Administrators should follow the upgrade instructions in the GitHub Release Notes 3.10.7, GitHub Release Notes 3.9.10, and GitHub Release Notes 3.8.15.
Workarounds
- Restrict Management Console access to administrators only until the appliance is patched
- Place the Management Console behind a network access control list that limits connectivity to a small set of trusted administrative workstations
- Require multi-factor authentication on all Management Console accounts and rotate the Management Console password
# Configuration example: verify GHES version and restrict Management Console exposure
ghe-version
sudo iptables -A INPUT -p tcp --dport 8443 ! -s 10.0.0.0/24 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
