CVE-2024-2440

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.13 GitHub Enterprise Server versions 3.9 through 3.9.12 GitHub Enterprise Server versions 3.10 through 3.10.9 GitHub Enterprise Server versions 3.11 through 3.11.7 GitHub Enterprise Server versions 3.12 through 3.12.0

Description A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This issue was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 3.9.13, update to version 3.9.13. For GitHub Enterprise Server versions 3.10, update to version 3.10.10. For GitHub Enterprise Server versions 3.11, update to version 3.11.8. For GitHub Enterprise Server versions 3.12, update to version 3.12.1. As a temporary workaround, consider restricting access to GraphQL mutations that alter repository permissions for detached repositories until a patch is available.