CVE-2024-1082 is a path traversal vulnerability (CWE-22) identified in GitHub Enterprise Server versions prior to 3.12, specifically affecting versions 3.8.0, 3.9.0, 3.10.0, and 3.11.0. This vulnerability allows an attacker with limited privileges—specifically, the ability to create and build GitHub Pages sites on the affected instance—to gain unauthorized read access to files outside the intended directory scope. The exploit involves deploying arbitrary symbolic links within a specially crafted artifact tarball used in GitHub Pages site builds. By manipulating these symbolic links, the attacker can traverse directories and access sensitive files that should be restricted, potentially exposing confidential information. The vulnerability does not allow modification or deletion of files (integrity and availability are not impacted), but the confidentiality impact is high due to unauthorized file read access. The CVSS 3.1 base score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, low privileges required, no user interaction, and a scope change due to unauthorized file access. The vulnerability was responsibly disclosed via the GitHub Bug Bounty program and fixed in GitHub Enterprise Server versions 3.8.15, 3.9.10, 3.10.7, and 3.11.5. No known exploits in the wild have been reported to date.

For European organizations using GitHub Enterprise Server internally, this vulnerability poses a significant confidentiality risk. Attackers with limited permissions to create GitHub Pages sites—often developers or internal users—could exploit this flaw to access sensitive files stored on the server, including configuration files, source code, credentials, or other proprietary data. This could lead to intellectual property theft, exposure of sensitive business information, or leakage of personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Since GitHub Enterprise Server is commonly used by large enterprises, government agencies, and research institutions across Europe, the exposure could be widespread if unpatched. The requirement for some level of permission to create Pages sites limits the attack surface to insiders or compromised accounts, but insider threats or credential compromise scenarios remain realistic. The vulnerability does not impact system integrity or availability, so it is less likely to cause service disruption but remains a critical confidentiality concern.

European organizations should immediately verify their GitHub Enterprise Server versions and upgrade to the fixed releases (3.8.15, 3.9.10, 3.10.7, or 3.11.5) as soon as possible. Until patched, organizations should restrict the ability to create and build GitHub Pages sites to a minimal set of trusted users, ideally disabling this feature if not required. Implement strict access controls and monitoring on GitHub Enterprise Server to detect unusual activity related to Pages site creation or artifact uploads. Conduct internal audits of permissions and review logs for suspicious symbolic link deployments or artifact builds. Additionally, consider network segmentation to limit exposure of the GitHub Enterprise Server to only trusted internal networks and enforce multi-factor authentication to reduce the risk of compromised accounts. Regularly update and patch GitHub Enterprise Server as part of a robust vulnerability management program to prevent exploitation of similar issues.