¡¾Îó²îͨ¸æ¡¿GitHub Enterprise ServerÏÂÁî×¢ÈëÎó²î£¨CVE-2024-2443£©

Ðû²¼Ê±¼ä 2024-03-21

Ò»¡¢Îó²î¸ÅÊö

Îó²îÃû³Æ

 GitHub Enterprise ServerÏÂÁî×¢ÈëÎó²î

CVE   ID

CVE-2024-2443

Îó²îÀàÐÍ

ÏÂÁî×¢Èë

·¢Ã÷ʱ¼ä

2024-03-21

Îó²îÆÀ·Ö

9.1

Îó²îÆ·¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

¸ß

ʹÓÃÄѶÈ

µÍ

Óû§½»»¥

ÎÞ

PoC/EXP

δ¹ûÕæ

ÔÚҰʹÓÃ

δ·¢Ã÷

 

GitHub Enterprise Server ÊÇÒ»¸öÓÃÓÚÆóÒµÄÚÈí¼þ¿ª·¢µÄ×ÔÍÐ¹ÜÆ½Ì¨£¬£¬£¬£¬£¬ £¬ÍŶӿÉʹÓà GitHub Enterprise Server ͨ¹ýGit°æ±¾¿ØÖÆ¡¢Ç¿Ê¢µÄ API¡¢Éú²úÁ¦ºÍЭ×÷¹¤¾ßÒÔ¼°¼¯³ÉÀ´¹¹½¨ºÍÐû²¼Èí¼þ¡£¡£¡£¡£¡£¡£¡£

2024Äê3ÔÂ21ÈÕ£¬£¬£¬£¬£¬ £¬¼øºÚµ£±£ÍøVSRC¼à²âµ½GitHub Enterprise ServerÖÐÐÞ¸´ÁËÒ»¸öÏÂÁî×¢ÈëÎó²î£¨CVE-2024-2443£©£¬£¬£¬£¬£¬ £¬¸ÃÎó²îµÄCVSSÆÀ·ÖΪ9.1¡£¡£¡£¡£¡£¡£¡£

GitHub Enterprise Server¶à¸öÊÜÓ°Ïì°æ±¾Öб£´æÏÂÁî×¢ÈëÎó²î£¬£¬£¬£¬£¬ £¬Äܹ»»á¼û GitHub Enterprise ServerʵÀý²¢ÔÚÖÎÀí¿ØÖÆÌ¨ÖоßÓб༭Õß½ÇÉ«µÄÍþвÕß¿ÉÒÔÔÚÉèÖà GeoJSON ÉèÖÃʱͨ¹ýÏÂÁî×¢Èë»ñµÃ¶ÔʵÀýµÄSSH»á¼ûȨÏÞ¡£¡£¡£¡£¡£¡£¡£

±ðµÄ£¬£¬£¬£¬£¬ £¬GitHub Enterprise Server¶à¸öÊÜÓ°Ïì°æ±¾Öл¹ÐÞ¸´ÁËÒ»¸öÊäÈëÑéÖ¤²»µ±Îó²î£¨CVE-2024-2469£¬£¬£¬£¬£¬ £¬CVSSÆÀ·Ö8.0£©£¬£¬£¬£¬£¬ £¬ÔÚ GitHub Enterprise Server ÖоßÓÐÖÎÀíÔ±½ÇÉ«µÄÍþвÕß¿ÉÒÔͨ¹ýÔ¶³Ì´úÂëÖ´ÐлñµÃ SSH root »á¼ûȨÏÞ¡£¡£¡£¡£¡£¡£¡£


¶þ¡¢Ó°Ïì¹æÄ£

GitHub Enterprise Server 3.8°æ±¾< 3.8.17

GitHub Enterprise Server 3.9°æ±¾< 3.9.12

GitHub Enterprise Server 3.10°æ±¾< 3.10.9

GitHub Enterprise Server 3.11°æ±¾< 3.11.7

GitHub Enterprise Server 3.12°æ±¾< 3.12.1

 

Èý¡¢Çå¾²²½·¥

3.1 Éý¼¶°æ±¾

ÏÖÔÚÕâЩÎó²îÒѾ­ÐÞ¸´£¬£¬£¬£¬£¬ £¬ÊÜÓ°ÏìÓû§¿ÉÉý¼¶µ½GitHub Enterprise Server °æ±¾3.8.17¡¢3.9.12¡¢3.10.9¡¢3.11.7 »ò3.12.1¡£¡£¡£¡£¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://enterprise.github.com/releases/3.12.1/download

3.2 ÔÝʱ²½·¥

ÔÝÎÞ¡£¡£¡£¡£¡£¡£¡£

3.3 ͨÓý¨Òé

l  °´ÆÚ¸üÐÂϵͳ²¹¶¡£¡£¡£¡£¡£¡£¡£¬£¬£¬£¬£¬ £¬ïÔ̭ϵͳÎó²î£¬£¬£¬£¬£¬ £¬ÌáÉýЧÀÍÆ÷µÄÇå¾²ÐÔ¡£¡£¡£¡£¡£¡£¡£

l  ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬£¬£¬£¬£¬ £¬Ð޸ķÀ»ðǽսÂÔ£¬£¬£¬£¬£¬ £¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻòЧÀÍ£¬£¬£¬£¬£¬ £¬ïÔÌ­½«Î£ÏÕЧÀÍ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬£¬£¬£¬£¬ £¬ïÔÌ­¹¥»÷Ãæ¡£¡£¡£¡£¡£¡£¡£

l  ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬£¬£¬£¬£¬ £¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£¡£¡£¡£¡£¡£¡£

l  ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬£¬£¬£¬£¬ £¬ÆôÓöàÒòËØÈÏÖ¤»úÖÆºÍ×îСȨÏÞÔ­Ôò£¬£¬£¬£¬£¬ £¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏÞ¶È¡£¡£¡£¡£¡£¡£¡£

l  ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£¡£¡£¡£¡£¡£¡£

3.4 ²Î¿¼Á´½Ó

https://nvd.nist.gov/vuln/detail/CVE-2024-2443

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.9

 

ËÄ¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2024-03-21

Ê×´ÎÐû²¼

 

  

Îå¡¢¸½Â¼

5.1 ¼øºÚµ£±£Íø¼ò½é

¼øºÚµ£±£Íø½¨ÉèÓÚ1996Ä꣬£¬£¬£¬£¬ £¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ½¨ÉèµÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Çå¾²¸ß¿Æ¼¼ÆóÒµ¡£¡£¡£¡£¡£¡£¡£ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·¡¢Ç徲ЧÀͽâ¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£¡£¡£¡£¡£¡£¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°¼øºÚµ£±£Íø´óÏ㬣¬£¬£¬£¬ £¬¹«Ë¾Ô±¹¤6000ÓàÈË£¬£¬£¬£¬£¬ £¬Ñз¢ÍŶÓ1200ÓàÈË, ÊÖÒÕЧÀÍÍŶÓ1300ÓàÈË¡£¡£¡£¡£¡£¡£¡£ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬£¬£¬£¬£¬ £¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ¡£¡£¡£¡£¡£¡£¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС£¡£¡£¡£¡£¡£¡££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´£¬£¬£¬£¬£¬ £¬¼øºÚµ£±£ÍøÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬£¬£¬£¬ £¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬£¬£¬£¬ £¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·ÅÆ¶ø²»Ð¸Æð¾¢¡£¡£¡£¡£¡£¡£¡£

5.2 ¹ØÓÚ¼øºÚµ£±£Íø

¼øºÚµ£±£ÍøÇå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑÐû²¼1000¶à¸öÎó²îͨ¸æºÍΣº¦Ô¤¾¯£¬£¬£¬£¬£¬ £¬ÎÒÃǽ«Ò»Á¬¸ú×ÙÈ«Çò×îеÄÍøÂçÇå¾²ÊÂÎñºÍÎó²î£¬£¬£¬£¬£¬ £¬ÎªÆóÒµµÄÐÅÏ¢Çå¾²±£¼Ý»¤º½¡£¡£¡£¡£¡£¡£¡£

¹Ø×¢ÎÒÃÇ£º

image.png