Lucene search

K
vulnrichmentGitHub_PVULNRICHMENT:CVE-2024-6395
HistoryJul 16, 2024 - 9:27 p.m.

CVE-2024-6395 GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Deploy Keys

2024-07-1621:27:10
CWE-200
GitHub_P
github.com
3
github
enterprise server
information disclosure
vulnerability
private repository
deploy keys
unauthorized access
bug bounty program

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/SC:L/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/U:Amber/V:C/RE:L

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

21.1%

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

CNA Affected

[
  {
    "vendor": "GitHub",
    "product": "GitHub Enterprise Server",
    "versions": [
      {
        "status": "affected",
        "changes": [
          {
            "at": "3.10.14",
            "status": "unaffected"
          }
        ],
        "version": "3.10.0",
        "versionType": "semver",
        "lessThanOrEqual": "3.10.13"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "3.11.12",
            "status": "unaffected"
          }
        ],
        "version": "3.11.0",
        "versionType": "semver",
        "lessThanOrEqual": "3.11.11"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "3.12.6",
            "status": "unaffected"
          }
        ],
        "version": "3.12.0",
        "versionType": "semver",
        "lessThanOrEqual": "3.12.5"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "3.13.1",
            "status": "unaffected"
          }
        ],
        "version": "3.13",
        "versionType": "semver",
        "lessThanOrEqual": "3.13.0"
      },
      {
        "status": "affected",
        "changes": [
          {
            "at": "3.9.17",
            "status": "unaffected"
          }
        ],
        "version": "3.9.0",
        "versionType": "semver",
        "lessThanOrEqual": "3.9.16"
      }
    ],
    "defaultStatus": "affected"
  }
]

CVSS4

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/SC:L/VI:N/SI:N/VA:N/SA:N/S:N/AU:Y/U:Amber/V:C/RE:L

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

21.1%

SSVC

Exploitation

none

Automatable

no

Technical Impact

partial

Related for VULNRICHMENT:CVE-2024-6395