CVE-2024-1374 Overview
CVE-2024-1374 is a command injection vulnerability in GitHub Enterprise Server (GHES). An attacker holding the editor role in the Management Console can abuse nomad templates when configuring audit log forwarding to gain administrative SSH access to the appliance. The flaw affects all versions of GitHub Enterprise Server prior to 3.12 and was reported through the GitHub Bug Bounty program. GitHub fixed the issue in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. The weakness is classified under [CWE-77] (Command Injection) and [CWE-20] (Improper Input Validation).
Critical Impact
A Management Console editor can escalate to root-level SSH access on the GHES appliance, compromising source code, secrets, and CI/CD pipelines hosted on the instance.
Affected Products
- GitHub Enterprise Server versions prior to 3.8.15
- GitHub Enterprise Server 3.9.x prior to 3.9.10, 3.10.x prior to 3.10.7, and 3.11.x prior to 3.11.5
- All GHES deployments where audit log forwarding can be configured from the Management Console
Discovery Timeline
- 2024-02-13 - CVE-2024-1374 published to the National Vulnerability Database
- 2024-11-21 - Last updated in NVD database
- Reported via the GitHub Bug Bounty program
Technical Details for CVE-2024-1374
Vulnerability Analysis
The vulnerability lives in the Management Console workflow that configures audit log forwarding on GHES. GHES uses HashiCorp nomad to orchestrate internal services, and rendered nomad job templates incorporate values supplied through the audit log forwarding settings. Input from these settings is interpolated into template directives without sufficient sanitization. An authenticated user with the editor role can inject template syntax that the rendering engine evaluates as shell commands. Because rendered jobs execute under privileged service contexts, command execution lands the attacker on the appliance with administrative SSH access.
Root Cause
The root cause is improper neutralization of special elements used in an operating system command [CWE-77], combined with insufficient input validation [CWE-20] of audit log forwarding parameters. User-controlled fields flow directly into nomad template expressions, where template evaluation is treated as a trusted code path.
Attack Vector
Exploitation requires network access to the GHES Management Console and valid credentials for an account with the editor role. The attacker submits a crafted audit log forwarding configuration containing malicious template directives. When GHES renders the corresponding nomad job, the injected payload executes on the appliance host. The scope-changing nature of the flaw enables the attacker to obtain SSH access as an administrative user, bypassing the role boundary intended by the Management Console.
No verified public proof-of-concept code is available. Refer to the GitHub Enterprise release notes for vendor technical context.
Detection Methods for CVE-2024-1374
Indicators of Compromise
- Unexpected modifications to audit log forwarding configuration in the Management Console
- New or unrecognized SSH sessions to the GHES appliance using the admin account
- nomad job definitions or rendered templates containing shell metacharacters in fields tied to audit log destinations
- Outbound network connections from the appliance to attacker-controlled hosts following Management Console configuration changes
Detection Strategies
- Monitor Management Console audit events for changes to audit log forwarding made by editor-role accounts
- Inspect rendered nomad job specifications for template syntax or shell operators originating from user-supplied fields
- Correlate Management Console configuration changes with subsequent SSH authentication events on the appliance
- Baseline normal administrative SSH activity and alert on deviations in source IP, time-of-day, or session frequency
Monitoring Recommendations
- Forward GHES system logs, SSH authentication logs, and Management Console audit logs to a centralized SIEM
- Alert on creation or modification of accounts assigned the editor role in the Management Console
- Track process execution lineage from nomad worker processes to detect unexpected child shells
- Review release-note guidance in the GitHub Enterprise 3.11.5 advisory and apply matching detections
How to Mitigate CVE-2024-1374
Immediate Actions Required
- Upgrade GHES to 3.11.5, 3.10.7, 3.9.10, 3.8.15, or any later release on the supported branch
- Audit Management Console editor accounts and revoke access that is not strictly required
- Rotate SSH keys, administrative passwords, and any secrets stored on the appliance if compromise is suspected
- Review audit log forwarding configurations for unexpected entries introduced before the patch was applied
Patch Information
GitHub released fixes in GHES 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Versions 3.12 and later are not affected. See the vendor release notes: GHES 3.11.5, GHES 3.10.7, GHES 3.9.10, and GHES 3.8.15.
Workarounds
- Restrict Management Console access to a hardened administrative network segment using firewall rules or VPN gating
- Limit assignment of the editor role to a minimal set of trusted operators and enforce multi-factor authentication on those accounts
- Disable audit log forwarding configuration changes until the patched version is deployed where operationally feasible
- Monitor administrative SSH access to the appliance and require jump-host or bastion mediation
# Verify the running GHES version against the patched baseline
ghe-version
# Expected output should be >= 3.8.15, 3.9.10, 3.10.7, 3.11.5, or 3.12.x
# Restrict Management Console access at the network layer (example iptables rule)
iptables -A INPUT -p tcp --dport 8443 -s <trusted_admin_cidr> -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
