Lucene search

GitHub_PCVELIST:CVE-2024-6336

HistoryJul 16, 2024 - 9:27 p.m.

CVE-2024-6336 Security misconfiguration was identified in GitHub Enterprise Server that allowed sensitive data exposure

2024-07-1621:27:07

CWE-200

GitHub_P

www.cve.org

cve-2024-6336

github enterprise server

security misconfiguration

sensitive data exposure

organization ruleset

vulnerability

information disclosure

unauthorized users

bug bounty program

CVSS4

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/SC:H/VI:N/SI:N/VA:N/SA:N/S:N/AU:N/U:Amber/R:U

EPSS

Percentile

16.0%

JSON

A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "GitHub Enterprise Server",
    "vendor": "GitHub",
    "versions": [
      {
        "changes": [
          {
            "at": "3.10.14",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.10.13",
        "status": "affected",
        "version": "3.10.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.11.12",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.11.11",
        "status": "affected",
        "version": "3.11.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.12.6",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.12.5",
        "status": "affected",
        "version": "3.12.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.13.1",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.13.0",
        "status": "affected",
        "version": "3.13",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.9.17",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.9.16",
        "status": "affected",
        "version": "3.9.0",
        "versionType": "semver"
      }
    ]
  }
]

References

docs.github.com/en/[email protected]/admin/release-notes#3.10.15

docs.github.com/en/[email protected]/admin/release-notes#3.11.12

docs.github.com/en/[email protected]/admin/release-notes#3.12.6

docs.github.com/en/[email protected]/admin/release-notes#3.13.1

docs.github.com/en/[email protected]/admin/release-notes#3.9.17