CVE-2024-0507
Published: 16 January 2024
Summary
CVE-2024-0507 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Github Enterprise Server. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2024-0507 is a command injection flaw, also referenced under CWE-20 and CWE-77, present in the Management Console component of GitHub Enterprise Server. It affected every version of the product until patches were issued in releases 3.11.3, 3.10.5, 3.9.8, and 3.8.13. The issue carries a CVSS 3.1 score of 6.5 with a network attack vector, low complexity, and high-privilege requirement, resulting in high confidentiality and integrity impact.
An attacker holding a Management Console account with the editor role can supply crafted input that triggers command injection, enabling escalation to higher privileges on the affected instance. Exploitation requires authenticated access to the console but no additional user interaction once that foothold exists.
GitHub's release notes for the fixed versions document the remediation and confirm the vulnerability was identified through the company's bug bounty program. Administrators are advised to upgrade to one of the listed patched releases to eliminate the command injection vector.
The associated EPSS score reached a peak of 0.7770 on 2025-12-11 before receding to the current value of 0.7288.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16302
Vulnerability details
An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions…
more
3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.