Severity
High
Analysis Summary
CVE-2024-3684 CVSS:8
GitHub Enterprise Server is vulnerable to server-side request forgery, caused by a flaw when configuring the Artifacts & Logs and Migrations Storage. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to gain admin access to the appliance.
CVE-2024-3646 CVSS:8
GitHub Enterprise Server could allow a remote authenticated attacker to bypass security restrictions, caused by a command injection flaw when configuring the chat integration. By sending a specially crafted request, an attacker could exploit this vulnerability to gain administrative SSH access to the appliance.
CVE-2024-3470 CVSS:5.9
GitHub Enterprise Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper privilege management. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass a ruleset that specified organization administrators as bypass actors.
Impact
- Gain Access
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-3684
- CVE-2024-3646
- CVE-2024-3470
Affected Vendors
Affected Products
- GitHub Enterprise Server 3.11.0
- GitHub Enterprise Server 3.10.0
- GitHub Enterprise Server 3.12.0
- GitHub Enterprise Server 3.9.0
Remediation
Upgrade to the latest version of GitHub Enterprise Server, available from the GitHub Website.