CVE-2024-5816

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.14 GitHub Enterprise Server version 3.9.17 GitHub Enterprise Server version 3.10.14 GitHub Enterprise Server version 3.11.12 GitHub Enterprise Server version 3.12.6 GitHub Enterprise Server version 3.13.1

Description: An Incorrect Authorization issue was identified in GitHub Enterprise Server, allowing a suspended GitHub App to retain access to the repository via a scoped user access token. This issue was only exploitable in public repositories, while private repositories were not impacted.

Recommendations: For GitHub Enterprise Server versions prior to 3.9.17, update to version 3.9.17. For GitHub Enterprise Server versions prior to 3.10.14, update to version 3.10.14. For GitHub Enterprise Server versions prior to 3.11.12, update to version 3.11.12. For GitHub Enterprise Server versions prior to 3.12.6, update to version 3.12.6. For GitHub Enterprise Server versions prior to 3.13.1, update to version 3.13.1. As a temporary workaround, consider restricting access to scoped user access tokens for suspended GitHub Apps until a patch is available.