102 matches found
CVE-2024-35301
In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token...
CVE-2024-35301
CVE-2024-35301 affects JetBrains TeamCity versions prior to 2024.03.1. The root cause is the commit status publisher not checking the project scope of the GitHub App token, which can lead to improper permission handling. PT-Security notes the issue can enable a remote attacker to execute arbitrar...
PT-2024-3699 · Jetbrains · Jetbrains Teamcity +1
Name of the Vulnerable Software and Affected Versions: JetBrains TeamCity versions prior to 2024.03.1 Description: The issue is related to the commit status publisher in JetBrains TeamCity not checking the project scope of the GitHub App token, which can lead to incorrect handling of insufficient...
CVE-2024-34079
octo-sts is a GitHub App that acts like a Security Token Service STS for the Github API. This vulnerability can spike the resource utilization of the STS service, and combined with a significant traffic volume could potentially lead to a denial of service. This vulnerability is fixed in 0.1.0...
CVE-2024-34079 octo-sts allows unauthenticated attackers to cause unbounded CPU and memory usage
octo-sts is a GitHub App that acts like a Security Token Service STS for the Github API. This vulnerability can spike the resource utilization of the STS service, and combined with a significant traffic volume could potentially lead to a denial of service. This vulnerability is fixed in 0.1.0...
CVE-2024-34079
CVE-2024-34079 affects the octo-sts GitHub App (Security Token Service for the GitHub API). The issue enables excessive resource consumption, potentially causing denial of service when handling high traffic volumes. Public sources describe a DoS risk from unbounded resource usage or missing input...
com.github.t1:wunderbar.demo.product (>=2.2.0 <=3.5.1), io.github.chains-project:maven-lockfile-github-action (>=1.0.1 <=5.5.1) +24 more potentially affected by CVE-2023-6394 via io.quarkus:quarkus-smallrye-graphql-client (>=2.14.0.CR1 <=3.5.2)
io.quarkus:quarkus-smallrye-graphql-client MAVEN version =2.14.0.CR1, =2.2.0, =1.0.1, =0.1.0, =0.1.0, =0.1.0, =1.0.1, =1.3.0, =1.8.0, =1.8.0, =1.3.0, =1.3.0, =1.7.4, =1.8.0, =1.3.0, =1.3.0, =2.14.1 and more Source cves: CVE-2023-6394https://v...
CVE-2022-23741
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in...
CVE-2022-23741 Incorrect authorization in GitHub Enterprise Server token generation leading to full admin access
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in...
PT-2022-16244 · Github · Github Enterprise Server
Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.3.17 GitHub Enterprise Server versions prior to 3.4.12 GitHub Enterprise Server versions prior to 3.5.9 GitHub Enterprise Server versions prior to 3.6.5 Description: An incorrect authorization issu...
io.quarkiverse.cxf:quarkus-cxf-deployment (=1.6.0), io.quarkiverse.cxf:quarkus-cxf-rt-features-logging-deployment (=1.6.0) +95 more potentially affected by CVE-2022-4116 via io.quarkus:quarkus-vertx-http-deployment (>=2.14.0.CR1 <=2.14.1.Final)
io.quarkus:quarkus-vertx-http-deployment MAVEN version =2.14.0.CR1, =2.14.1.Final is affected by a known vulnerability. The following packages have a transitive dependency on io.quarkus:quarkus-vertx-http-deployment and may be impacted: - io.quarkiverse.cxf:quarkus-cxf-deployment =1.6.0 -...
CVE-2021-41598
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub Ap...
Design/Logic Flaw
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub Ap...
CVE-2021-41598 UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub Ap...
CVE-2021-41598
GitHub Enterprise Server vulnerability CVE-2021-41598 is a UI misrepresentation flaw in the GitHub App authorization flow. It can cause more permissions to be granted than the user sees during approval, specifically if the user later updates the repositories an app is installed on after additiona...
CVE-2021-22866
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub Ap...
Authorization
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub Ap...
CVE-2021-22866
The CVE describes a UI misrepresentation in GitHub Enterprise Server’s GitHub App authorization flow. A user could grant more permissions than shown if the App had additional user-level permissions added after initial approval, by revisiting the authorization flow. Affected products/versions: Git...
CVE-2021-22865
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this...
Improper access control
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this...