CVE-2024-1354: 
GitHub Enterprise Server vulnerability analysis and mitigation

A command injection vulnerability (CVE-2024-1354) was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the syslog-ng configuration file. The vulnerability was discovered and disclosed in February 2024, affecting all versions of GitHub Enterprise Server prior to 3.12 (GitHub Release Notes).

The vulnerability is classified as a command injection flaw (CWE-77) with a CVSS v3.1 base score of 8.0 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). The issue specifically involves the ability to inject commands through the syslog-ng configuration file when an attacker has editor access to the Management Console (NVD).

If exploited, this vulnerability allows an attacker with editor role privileges in the Management Console to escalate their access and gain administrative SSH access to the GitHub Enterprise Server appliance. This could potentially lead to complete system compromise (GitHub Release Notes).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Organizations running affected versions should upgrade to the patched versions immediately to mitigate this security risk (GitHub Release Notes).