Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistGitHub_PCVELIST:CVE-2024-6395
HistoryJul 16, 2024 - 9:27 p.m.

CVE-2024-6395 GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Deploy Keys

2024-07-1621:27:10
CWE-200
GitHub_P
www.cve.org
5
github
enterprise server
information disclosure
vulnerability
private repositories
deploy keys
unauthorized access
github bug bounty

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/SC:L/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/U:Amber/V:C/RE:L

EPSS

0.001

Percentile

21.1%

JSON

An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "GitHub Enterprise Server",
    "vendor": "GitHub",
    "versions": [
      {
        "changes": [
          {
            "at": "3.10.14",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.10.13",
        "status": "affected",
        "version": "3.10.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.11.12",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.11.11",
        "status": "affected",
        "version": "3.11.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.12.6",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.12.5",
        "status": "affected",
        "version": "3.12.0",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.13.1",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.13.0",
        "status": "affected",
        "version": "3.13",
        "versionType": "semver"
      },
      {
        "changes": [
          {
            "at": "3.9.17",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "3.9.16",
        "status": "affected",
        "version": "3.9.0",
        "versionType": "semver"
      }
    ]
  }
]

Related

vulnrichment 1
cve 1
nvd 1
hackerone 1
vulnrichment
vulnrichment
CVE-2024-6395 GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Deploy Keys
2024-07-16 21:27:10
cve
cve
CVE-2024-6395
2024-07-16 22:15:06
nvd
nvd
CVE-2024-6395
2024-07-16 22:15:06
hackerone
hackerone
GitHub: View private repository NWO of deploy key via internal LFS API
2024-04-18 14:43:10

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/SC:L/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/U:Amber/V:C/RE:L

EPSS

0.001

Percentile

21.1%

JSON
Related for CVELIST:CVE-2024-6395
vulnrichment1cve1nvd1hackerone1