Unsafe reflection RCE in GitHub Enterprise Server organizations actions settings
CVE-2024-0200 is an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) caused by use of a user-controlled parameter to select a method invoked on a Repository object. According to the provided content, the vulnerable path is in Organizations::Settings::RepositoryItemsComponent, where repository.send is called with a repository identifier key derived from the rid_key request parameter in Orgs::ActionsSettings::RepositoryItemsController without proper validation. This creates an arbitrary zero-argument method invocation primitive against Repository objects. The researcher identified Repository::GitDependency#nw_fsck as a viable target; that path reaches GitRPC::Backend#nw_fsck and process spawning logic that returns metadata including the spawned process environment. As a result, an attacker could disclose environment variables from the Rails/container environment. On GHES, the content states this disclosure can be escalated to remote code execution, including via exposure of ENTERPRISE_SESSION_SECRET and subsequent abuse of forged Rails session cookies and unsafe Marshal deserialization. The vulnerability affected all GHES versions prior to 3.12 and was fixed in 3.8.13, 3.9.8, 3.10.5, and 3.11.3.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains two Python exploit scripts targeting critical vulnerabilities in GitHub Enterprise Server: CVE-2024-0200 and CVE-2024-0507. The structure is straightforward, with each exploit in its own file (CVE-2024-0200.py and CVE-2024-0507.py), a README.md with background and references, and an assets directory for images. CVE-2024-0200.py exploits an unsafe reflection vulnerability that allows an attacker with organization owner credentials to leak the ENTERPRISE_SESSION_SECRET and craft a malicious session cookie. This cookie, when sent to the server, triggers a Ruby Marshal deserialization vulnerability, resulting in remote code execution (RCE) as the server. The payload opens a reverse shell to an attacker-controlled IP and port. CVE-2024-0507.py exploits a command injection vulnerability in the management console's storage settings. By injecting a command into a POST parameter, the attacker can reset the root site admin password to a known value, effectively escalating privileges to site admin. The script automates login, CSRF token handling, payload delivery, and status checking. Both exploits require valid credentials and target network-accessible endpoints on the GitHub Enterprise Server web interface. The code is operational, automating the full exploitation process for each CVE. No fake or detection-only scripts are present.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An unsafe Ruby reflection vulnerability in GitHub/GitHub Enterprise Server caused by unvalidated use of repository.send(@repository_identifier_key), allowing zero-argument arbitrary method invocation on a Repository object. It enabled disclosure of environment variables and secrets on GitHub.com and could be chained to remote code execution on GHES.
An unsafe Ruby reflection vulnerability in GitHub/GitHub Enterprise Server caused by unvalidated use of repository.send with attacker-controlled rid_key, enabling zero-argument arbitrary method invocation on Repository objects. It allowed disclosure of environment variables and secrets on GitHub.com and could be chained to remote code execution on GHES.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.