CVE-2017-18365
Description
The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote code execution via deserialization in GitHub Enterprise Management Console due to hardcoded session secret.
Vulnerability
The Management Console in GitHub Enterprise versions 2.8.0 through 2.8.6 contains a deserialization vulnerability. The enterprise session secret is hardcoded and can be found in the product's source code. An attacker can craft a cookie signed with this secret and use it to call Marshal.load with arbitrary data, allowing execution of arbitrary Ruby objects. [1]
Exploitation
An unauthenticated remote attacker can exploit this by sending a specially crafted cookie to the Management Console, which is accessible on ports 8080 and 8443. No prior authentication or access is required. The hardcoded secret is known, so the attacker can forge a valid cookie that triggers deserialization of a malicious payload. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary code on the GitHub Enterprise appliance. This leads to full compromise of the appliance, including potential data access, modification, and further lateral movement. The attacker gains the highest level of privileges on the system. [1]
Mitigation
The vulnerability is fixed in GitHub Enterprise version 2.8.7, released January 31, 2017. Users should upgrade to 2.8.7 or later. No workarounds are mentioned in the reference. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=2.8.0,<2.8.7+ 1 more
- (no CPE)range: >=2.8.0,<2.8.7
- (no CPE)range: <2.8.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- enterprise.github.com/releases/2.8.7/notesmitrex_refsource_MISC
- www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.