Lucene search

GitHub_PVULNRICHMENT:CVE-2024-6337

HistoryAug 20, 2024 - 7:19 p.m.

CVE-2024-6337 Incorrect Authorization allows read access to issues in GitHub Enterprise Server

2024-08-2019:19:49

CWE-863

GitHub_P

github.com

incorrect authorization

github enterprise server

github app

private repository

user access token

installation access token

bug bounty program

CVSS4

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

PASSIVE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/SC:L/VI:N/SI:N/VA:N/SA:N/S:N

AI Score

6.6

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.

References

docs.github.com/en/[email protected]/admin/release-notes#3.10.16

docs.github.com/en/[email protected]/admin/release-notes#3.11.14

docs.github.com/en/[email protected]/admin/release-notes#3.12.8

docs.github.com/en/[email protected]/admin/release-notes#3.13.3