GitHub Enterprise Server Remote Code Execution Vulnerability via Git Push Options

A remote code execution vulnerability has been identified in GitHub Enterprise Server. This issue allows an attacker with push access to a repository to execute arbitrary code on the instance. The vulnerability arises from improper sanitization of user-supplied push option values, which are injected into internal service headers during a git push operation. Exploitation involves crafting push options that inject additional metadata fields, bypassing normal input validation. This vulnerability affects GitHub Enterprise Server versions 3.14.0 prior to 3.14.24, 3.15.0 prior to 3.15.19, 3.16.0 prior to 3.16.15, 3.17.0 prior to 3.17.12, 3.18.0 prior to 3.18.6, and 3.19.0 prior to 3.19.3.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected GitHub Enterprise Server instance.

Reproduction

To reproduce this vulnerability, an authenticated user with push access to a repository can inject malicious values into the Git push options. These options are not properly sanitized before being included in internal headers, allowing the injection of additional metadata that can be exploited to execute code on the server.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 or 3.19.3 to address this vulnerability.