/claim #14451

PR Information

This PR adds a detection-only template for CVE-2017-18365, which affects GitHub Enterprise versions before 2.8.7. The vulnerability is a critical insecure deserialization issue in the Management Console, leading to unauthenticated Remote Code Execution due to a hardcoded session secret.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2017-18365
• https://www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb

Template Validation

• Template validated with nuclei -validate.
• YAML linting passed.
• Verified against project contribution guidelines.

Rationale for Detection-Only Approach

Previous attempts to create a full RCE exploit template for this CVE (#14452, #14454) were closed because a verifiable, vulnerable test environment could not be provided, as GitHub Enterprise 2.8.x is legacy proprietary software.

This template focuses on providing a reliable, high-fidelity detection of the vulnerable configuration by:

1. Targeting the /setup/unlock endpoint of the Management Console.
2. Verifying the presence of the _gh_manage session cookie.
3. Confirming the page title corresponds to the GitHub Enterprise Management Console.

This approach provides a strong signal for the vulnerability’s presence without the complexities and verifiability issues of a full exploitation chain, offering immediate value to users. The metadata is marked with verified: false to reflect that full exploitation has not been tested.

Shodan Query

http.title:"github debug"