An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.
Metrics
Affected Vendors & Products
References
History
Fri, 27 Sep 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Github
Github enterprise Server |
|
CPEs | cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* | |
Vendors & Products |
Github
Github enterprise Server |
|
Metrics |
cvssV3_1
|
Wed, 21 Aug 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 20 Aug 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program. | |
Title | Incorrect Authorization allows read access to issues in GitHub Enterprise Server | |
Weaknesses | CWE-863 | |
References |
| |
Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_P
Published: 2024-08-20T19:19:49.193Z
Updated: 2024-08-21T13:43:00.222Z
Reserved: 2024-06-25T21:20:27.045Z
Link: CVE-2024-6337
Vulnrichment
Updated: 2024-08-21T13:42:55.052Z
NVD
Status : Analyzed
Published: 2024-08-20T20:15:09.033
Modified: 2024-09-27T17:48:00.977
Link: CVE-2024-6337
Redhat
No data.