CVE-2024-10001
Published: 29 January 2025
Summary
CVE-2024-10001 is a high-severity Code Injection (CWE-94) vulnerability in Github Enterprise Server. Its CVSS base score is 7.1 (High).
Operationally, ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user-controlled inputs like the identity property before processing, directly addressing the improper validation sequence that enables code injection into the query selector.
SI-2 mandates timely remediation of flaws such as this code injection vulnerability through patching to the specified GitHub Enterprise Server versions.
SI-3 deploys mechanisms to detect and prevent malicious code execution resulting from the injected code manipulating the DOM for data exfiltration.
NVD Description
A Code Injection vulnerability was identified in GitHub Enterprise Server that allowed attackers to inject malicious code into the query selector via the identity property in the message handling function. This enabled the exfiltration of sensitive data by manipulating the…
more
DOM, including authentication tokens. To execute the attack, the victim must be logged into GitHub and interact with the attacker controlled malicious webpage containing the hidden iframe. This vulnerability occurs due to an improper sequence of validation, where the origin check occurs after accepting the user-controlled identity property. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.11.16, 3.12.10, 3.13.5, 3.14.2, and 3.15.0. This vulnerability was reported via the GitHub Bug Bounty program.
Deeper analysisAI
CVE-2024-10001 is a code injection vulnerability (CWE-94) in GitHub Enterprise Server, stemming from an improper validation sequence in the message handling function. Attackers can inject malicious code into the query selector via the user-controlled identity property, as the origin check occurs after acceptance of this property. This flaw affects all versions of GitHub Enterprise Server prior to 3.11.16, 3.12.10, 3.13.5, 3.14.2, and 3.15.0, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
The attack requires a victim who is authenticated to GitHub Enterprise Server to interact with an attacker-controlled malicious webpage containing a hidden iframe. No special privileges are needed for the attacker, who can operate over the network with low complexity. Successful exploitation enables DOM manipulation to exfiltrate sensitive data, including authentication tokens.
Mitigation involves upgrading to GitHub Enterprise Server versions 3.11.16 or later (for the 3.11 series), 3.12.10 or later (3.12 series), 3.13.5 or later (3.13 series), 3.14.2 or later (3.14 series), or 3.15.0 or later, as detailed in the corresponding release notes. The vulnerability was reported through the GitHub Bug Bounty program, with no public details on real-world exploitation.
Details
- CWE(s)