CVE-2024-1372 is a critical command injection vulnerability affecting GitHub Enterprise Server versions prior to 3.12, specifically versions 3.8.0, 3.9.0, 3.10.0, and 3.11.0. The vulnerability arises from improper input validation (CWE-20) during the configuration of SAML settings within the Management Console. An attacker with an editor role in the Management Console can exploit this flaw to execute arbitrary commands, ultimately gaining administrative SSH access to the GitHub Enterprise Server appliance. This level of access effectively compromises the entire server, allowing the attacker to manipulate repositories, user data, and potentially pivot to other internal systems. Exploitation requires prior access to the GitHub Enterprise Server instance and Management Console with editor privileges, which limits the attack surface to insiders or attackers who have already breached initial defenses. The vulnerability was responsibly disclosed through the GitHub Bug Bounty program and fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. The CVSS v3.1 score is 9.1 (critical), reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and privileges required but no user interaction needed. No known exploits are currently reported in the wild, but the severity and potential impact warrant immediate attention.

For European organizations using GitHub Enterprise Server, this vulnerability poses a significant risk. GitHub Enterprise Server is widely adopted by enterprises for source code management, CI/CD pipelines, and collaboration on software development. A successful exploit could lead to full compromise of the code repositories, leakage of intellectual property, insertion of malicious code, and disruption of development workflows. The administrative SSH access gained by attackers could also allow lateral movement within the corporate network, potentially exposing sensitive internal systems and data. Given the critical nature of software supply chain security, exploitation could have cascading effects on downstream products and services. Organizations in sectors such as finance, healthcare, telecommunications, and government—where software integrity and confidentiality are paramount—are particularly at risk. Additionally, the requirement for editor-level access means insider threats or compromised credentials pose a heightened danger. The lack of known active exploitation provides a window for mitigation but should not lead to complacency.

European organizations should immediately verify their GitHub Enterprise Server versions and upgrade to the fixed releases: 3.11.5, 3.10.7, 3.9.10, or 3.8.15. Beyond patching, organizations should audit Management Console user roles and restrict editor privileges to trusted personnel only, employing the principle of least privilege. Implement multi-factor authentication (MFA) for all Management Console users to reduce the risk of credential compromise. Monitor logs for unusual Management Console activity, especially around SAML configuration changes or SSH access attempts. Employ network segmentation to isolate GitHub Enterprise Server appliances from broader internal networks, limiting potential lateral movement. Conduct regular internal penetration testing focusing on privilege escalation paths within administrative consoles. Finally, integrate GitHub Enterprise Server monitoring with Security Information and Event Management (SIEM) systems to detect anomalous behavior promptly.