PT-2024-37592 · Github · Github Enterprise Server
Ahacker1
·
Published
2024-07-16
·
Updated
2024-09-17
·
CVE-2024-6395
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:C/RE:L/U:Amber |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.14
Description
An exposure of sensitive information issue in GitHub Enterprise Server allows an attacker to enumerate the names of private repositories that utilize deploy keys. This issue does not allow unauthorized access to any repository content besides the name. The issue was reported via the GitHub Bug Bounty program.
Recommendations
For versions prior to 3.9.17, update to version 3.9.17.
For versions prior to 3.10.14, update to version 3.10.14.
For versions prior to 3.11.12, update to version 3.11.12.
For versions prior to 3.12.6, update to version 3.12.6.
For versions prior to 3.13.1, update to version 3.13.1.
As a temporary workaround, consider restricting access to deploy keys until a patch is applied.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server