PR Information

/claim #14451

• Added CVE-2017-18365 - GitHub Enterprise < 2.8.7 Insecure Deserialization RCE
• References:
  • https://nvd.nist.gov/vuln/detail/CVE-2017-18365
  • https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb
  • https://enterprise.github.com/releases/2.8.7/notes

Template validation

• Template validated with nuclei -validate
• YAML linting passed
• Verified against project contribution guidelines

Additional Details

Detection Approach:

• Targets /setup/unlock endpoint on GitHub Enterprise Management Console
• Checks for presence of _gh_manage cookie (indicates exploitable configuration)
• Extracts cookie value for further analysis

Why Detection-Only: Previous PRs (#14452, #14454) attempted exploitation (timing-based and OAST) but were closed. This template focuses on reliable detection of the vulnerable configuration:

1. Presence of hardcoded session secret (641dd6454584ddabfed6342cc66281fb)
2. Cookie format: [base64_data]--[sha1_hmac]
3. Vulnerable to unauthenticated RCE via Ruby Marshal.load

Note on Exploitation: Full exploitation requires crafting Ruby Marshal payloads with the known secret. The complex serialization structure and Ruby version dependencies make reliable nuclei-based exploitation challenging. The detection approach provides practical value for identifying vulnerable targets.

Shodan Query: http.title:"github debug"

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server