PR Information

• Added CVE-2017-18365 - GitHub Enterprise < 2.8.7 Management Console RCE via Insecure Deserialization
• References:
  • https://www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
  • https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb
  • https://nvd.nist.gov/vuln/detail/CVE-2017-18365

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details (leave it blank if not applicable)

Template Mechanics Verified:

• Ran nuclei -debug against test target
• Confirmed payload construction and request formatting works correctly
• All 4 cookie/endpoint combinations tested successfully

No test environment available (GitHub Enterprise 2.8.x is legacy paid software).

Template is based on:

1. Documented Metasploit exploit module (github_enterprise_secret.rb)
2. Original POC by exablue GmbH
3. Same Ruby Marshal deserialization pattern as existing template infoblox-netmri-rails-cookie-rce.yaml

Shodan Query: http.title:"github debug"

The template uses OAST (interactsh) to confirm code execution - not version-based detection.

/claim #14451

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server