Lucene search

GitHub_PCVE-2024-6336

HistoryJul 16, 2024 - 10:15 p.m.

CVE-2024-6336

2024-07-1622:15:05

CWE-200

GitHub_P

web.nvd.nist.gov

github

security misconfiguration

sensitive information disclosure

organization ruleset

vulnerability

unauthorized access

github bug bounty

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/SC:H/VI:N/SI:N/VA:N/SA:N/S:N/AU:N/U:Amber/R:U

AI Score

Confidence

High

EPSS

Percentile

16.0%

JSON

A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

Affected configurations

Vulners

Node

githubgithub_enterprise_serverRange3.10.0–3.10.13

githubgithub_enterprise_serverRange3.11.0–3.11.11

githubgithub_enterprise_serverRange3.12.0–3.12.5

githubgithub_enterprise_serverRange3.13–3.13.0

githubgithub_enterprise_serverRange3.9.0–3.9.16

VendorProductVersionCPE
githubgithub_enterprise_server*cpe:2.3:a:github:github_enterprise_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	github_enterprise_server	*	cpe:2.3:a:github:github_enterprise_server::::::::

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "GitHub Enterprise Server",
    "vendor": "GitHub",
    "versions": [
      {
        "changes": [
          {
            "at": "3.10.14",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.10.13",
        "status": "affected",
        "version": "3.10.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.11.12",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.11.11",
        "status": "affected",
        "version": "3.11.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.12.6",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.12.5",
        "status": "affected",
        "version": "3.12.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.13.1",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.13.0",
        "status": "affected",
        "version": "3.13",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.9.17",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.9.16",
        "status": "affected",
        "version": "3.9.0",
        "versionType": "semver"
      }
    ]
  }
]

References

docs.github.com/en/[email protected]/admin/release-notes#3.10.15

docs.github.com/en/[email protected]/admin/release-notes#3.11.12

docs.github.com/en/[email protected]/admin/release-notes#3.12.6

docs.github.com/en/[email protected]/admin/release-notes#3.13.1

docs.github.com/en/[email protected]/admin/release-notes#3.9.17