CVE-2024-1908

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.8.15 and earlier GitHub Enterprise Server versions 3.9.10 and earlier GitHub Enterprise Server versions 3.10.7 and earlier GitHub Enterprise Server versions 3.11.5 and earlier

Description An Improper Privilege Management issue was identified in GitHub Enterprise Server, allowing an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. The attacker would require an account on the server instance with non-default settings for GitHub Connect. This issue was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 3.8.16, update to version 3.8.16 or later. For GitHub Enterprise Server versions 3.9.10 and earlier, update to version 3.9.11 or later. For GitHub Enterprise Server versions 3.10.7 and earlier, update to version 3.10.8 or later. For GitHub Enterprise Server versions 3.11.5 and earlier, update to version 3.11.6 or later. As a temporary workaround, consider restricting access to the GitHub Connect download token until a patch is available.