CVE-2024-10007

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise prior to 3.15 and was fixed in versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. This vulnerability was reported via the GitHub Bug Bounty program.

References

Link	Resource
https://docs.github.com/en/[email protected]/admin/release-notes#3.11.17	Release Notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.12.11	Release Notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.13.6	Release Notes
https://docs.github.com/en/[email protected]/admin/release-notes#3.14.3	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::

History

27 Aug 2025, 16:32

Type	Values Removed	Values Added
First Time		Github Github enterprise Server
CPE		cpe:2.3:a:github:enterprise_server::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
References	~~() https://docs.github.com/en/[email protected]/admin/release-notes#3.11.17 -~~	() https://docs.github.com/en/[email protected]/admin/release-notes#3.11.17 - Release Notes
References	~~() https://docs.github.com/en/[email protected]/admin/release-notes#3.12.11 -~~	() https://docs.github.com/en/[email protected]/admin/release-notes#3.12.11 - Release Notes
References	~~() https://docs.github.com/en/[email protected]/admin/release-notes#3.13.6 -~~	() https://docs.github.com/en/[email protected]/admin/release-notes#3.13.6 - Release Notes
References	~~() https://docs.github.com/en/[email protected]/admin/release-notes#3.14.3 -~~	() https://docs.github.com/en/[email protected]/admin/release-notes#3.14.3 - Release Notes

08 Nov 2024, 19:01

Type	Values Removed	Values Added
Summary		(es) Se identificó una vulnerabilidad de colisión de rutas y ejecución de código arbitrario en GitHub Enterprise Server que permitía que el escape de contenedores escalara a la raíz a través de la ruta ghe-firejail. La explotación de esta vulnerabilidad requiere acceso de administrador de la empresa a la instancia de GitHub Enterprise Server. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise anteriores a la 3.15 y se corrigió en las versiones 3.14.3, 3.13.6, 3.12.11 y 3.11.17. Esta vulnerabilidad se informó a través del programa de recompensas por errores de GitHub.

07 Nov 2024, 23:15

Type	Values Removed	Values Added
Summary	(en) A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape and privilege escalation to root via the ghe-firejail path. This vulnerability affected all versions of GitHub Enterprise prior to 3.15 and was fixed in versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. This vulnerability was reported via the GitHub Bug Bounty program.	(en) A path collision and arbitrary code execution vulnerability was identified in GitHub Enterprise Server that allowed container escape to escalate to root via ghe-firejail path. Exploitation of this vulnerability requires Enterprise Administrator access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise prior to 3.15 and was fixed in versions 3.14.3, 3.13.6, 3.12.11, and 3.11.17. This vulnerability was reported via the GitHub Bug Bounty program.

07 Nov 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 21:15

Updated : 2025-08-27 16:32

NVD link : CVE-2024-10007

Mitre link : CVE-2024-10007

CVE.ORG link : CVE-2024-10007

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

9.1 /10