Multiple F5 BIG-IP Products Vulnerabilities
May 9, 2024Zscaler Removes Test Environment from the Internet Following Data Breach Rumors
May 9, 2024Multiple F5 BIG-IP Products Vulnerabilities
May 9, 2024Zscaler Removes Test Environment from the Internet Following Data Breach Rumors
May 9, 2024Severity
Medium
Analysis Summary
CVE-2024-2748 CVSS:4.3
GitHub Enterprise Server is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the GraphQL mutations. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to carry out unintended actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-2443 CVSS:9.1
GitHub Enterprise Server could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a command injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
Impact
- Gain Access
- Privilege Escalation
Indicators of Compromise
CVE
- CVE-2024-2748
- CVE-2024-2443
Affected Vendors
Affected Products
- GitHub Enterprise Server 3.12.0
- GitHub Enterprise Server 3.8.16
- GitHub Enterprise Server 3.9.11
- GitHub Enterprise Server 3.10.8
- GitHub Enterprise Server 3.11.6
Remediation
Refer to the GitHub Docs Website for patch, upgrade or suggested workaround information.