CVE-2024-1369: 
GitHub Enterprise Server vulnerability analysis and mitigation

A command injection vulnerability (CVE-2024-1369) was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting the username and password for collectd configurations. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program (NVD).

The vulnerability is classified as a command injection vulnerability (CWE-77) and improper input validation (CWE-20). It has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The exploitation required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role (NVD).

The vulnerability allowed an attacker with editor role privileges in the Management Console to gain elevated admin SSH access to the appliance, potentially compromising the entire system's security (NVD).

The vulnerability has been patched in multiple GitHub Enterprise Server versions: 3.11.5, 3.10.7, 3.9.10, and 3.8.15. Organizations using affected versions should upgrade to these patched versions or later to mitigate the vulnerability (GitHub Release Notes).