GitHub Enterprise Server Remote Code Execution Vulnerability via Pre-Receive Hooks

A remote code execution vulnerability has been identified in GitHub Enterprise Server versions prior to 3.17. This vulnerability allows attackers to execute arbitrary code by exploiting the pre-receive hook functionality. The exploitation could lead to privilege escalation and system compromise. The vulnerability is only exploitable under specific operational conditions, such as during a hot patch upgrade, when dynamically allocated ports become temporarily available. Exploitation requires either site administrator permissions to enable and configure pre-receive hooks, or a user with permissions to modify repositories containing pre-receive hooks where this functionality is already enabled.

Impact

Exploitation of this vulnerability allows for arbitrary code execution, potentially leading to unauthorized access and privileges on the affected system.

Reproduction

To reproduce this vulnerability, a user must have site administrator permissions or the ability to modify repositories with pre-receive hooks. During a hot patch upgrade, when dynamic ports are available, the pre-receive hook can be exploited to execute arbitrary code.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.16.2, 3.15.6, 3.14.11, or 3.13.14 to address this vulnerability.