CVE-2024-10007

A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise prior to 3.15 and was fixed in versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS

No CVSS.

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.17
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.11
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.6
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.3

Configurations

No configuration.

History

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) Se identificó una vulnerabilidad de colisión de rutas y ejecución de código arbitrario en GitHub Enterprise Server que permitía que el escape de contenedores escalara a la raíz a través de la ruta ghe-firejail. La explotación de esta vulnerabilidad requiere acceso de administrador de la empresa a la instancia de GitHub Enterprise Server. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise anteriores a la 3.15 y se corrigió en las versiones 3.14.3, 3.13.6, 3.12.11 y 3.11.17. Esta vulnerabilidad se informó a través del programa de recompensas por errores de GitHub.

07 Nov 2024, 23:15

Type	Values Removed	Values Added
Summary	(en) A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape and privilege escalation to root via the ghe-firejail path. This vulnerability affected all versions of GitHub Enterprise prior to 3.15 and was fixed in versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. This vulnerability was reported via the GitHub Bug Bounty program.	(en) A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise prior to 3.15 and was fixed in versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. This vulnerability was reported via the GitHub Bug Bounty program.

07 Nov 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 21:15

Updated : 2024-11-08 19:01

NVD link : CVE-2024-10007

Mitre link : CVE-2024-10007

CVE.ORG link : CVE-2024-10007

JSON object : View

Products Affected

No product.

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

JSON object

Attach tags to CVE-2024-10007

Attach tags to `CVE-2024-10007`