SecuritySpace - CVE-2017-18365

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

CVE ID: CVE-2017-18365

Description: The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.

Test IDs: 1.3.6.1.4.1.25623.1.0.140196

Cross References: Common Vulnerability Exposure (CVE) ID: CVE-2017-18365
https://enterprise.github.com/releases/2.8.7/notes
https://www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html

CVE ID:	CVE-2017-18365
Description:	The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.
Test IDs:	1.3.6.1.4.1.25623.1.0.140196
Cross References:	Common Vulnerability Exposure (CVE) ID: CVE-2017-18365 https://enterprise.github.com/releases/2.8.7/notes https://www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html