An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.
Metrics
Affected Vendors & Products
References
History
Fri, 15 Nov 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Github
Github enterprise Server |
|
Weaknesses | NVD-CWE-noinfo | |
CPEs | cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* | |
Vendors & Products |
Github
Github enterprise Server |
|
Metrics |
cvssV3_1
|
Fri, 11 Oct 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 11 Oct 2024 18:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program. | |
Weaknesses | CWE-200 | |
References |
| |
Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_P
Published: 2024-10-11T17:52:35.386Z
Updated: 2024-10-11T18:43:42.224Z
Reserved: 2024-10-04T18:06:12.657Z
Link: CVE-2024-9539
Vulnrichment
Updated: 2024-10-11T18:43:38.212Z
NVD
Status : Analyzed
Published: 2024-10-11T18:15:08.887
Modified: 2024-11-15T17:15:06.600
Link: CVE-2024-9539
Redhat
No data.