/claim #14451

PR Information

GitHub Enterprise 2.8.x before 2.8.7 uses a hardcoded session secret, allowing unauthenticated RCE via Ruby deserialization.

• Added CVE-2017-18365
• References:
  • https://www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
  • https://nvd.nist.gov/vuln/detail/CVE-2017-18365
  • https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Detection logic follows the Metasploit module: extracts _gh_manage cookie, computes HMAC-SHA1 with known static secret, compares against signature.

GitHub Enterprise is proprietary - tested against mock servers simulating vulnerable/patched cookie signing behavior.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Contribution Guideline