Lucene search

Ahacker1H1:2469713

HistoryApr 18, 2024 - 2:43 p.m.

GitHub: View private repository NWO of deploy key via internal LFS API

2024-04-1814:43:10

ahacker1

hackerone.com

$4000

github

private repository

deploy key

sensitive information

vulnerability

bug bounty

lfs api

unauthorized access

fixed version

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/SC:L/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/U:Amber/V:C/RE:L

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

21.1%

JSON

An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/SC:L/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/U:Amber/V:C/RE:L

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

21.1%

JSON

Related for H1:2469713