CVE-2024-6337

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.14 GitHub Enterprise Server version 3.13.3 GitHub Enterprise Server version 3.12.8 GitHub Enterprise Server version 3.11.14 GitHub Enterprise Server version 3.10.16

Description An Incorrect Authorization issue was identified in GitHub Enterprise Server, allowing a GitHub App with limited permissions to read issue content inside a private repository. This was only exploitable via user access token, and installation access token was not impacted. The issue was reported via the GitHub Bug Bounty program and has been exploited in real-world attacks.

Recommendations For GitHub Enterprise Server versions prior to 3.14, update to version 3.13.3, 3.12.8, 3.11.14, or 3.10.16 to resolve the issue. As a temporary workaround, consider restricting access to private repositories for GitHub Apps with content: read and pull request write: write permissions until the update is applied. Avoid using user access tokens for GitHub Apps with limited permissions in private repositories until the issue is resolved.