CVE-2024-9539

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.14 GitHub Enterprise Server version 3.14.2 GitHub Enterprise Server version 3.13.5 GitHub Enterprise Server version 3.12.10 GitHub Enterprise Server version 3.11.16

Description An information disclosure issue was identified in GitHub Enterprise Server via an attacker-uploaded asset URL, allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL.

Recommendations For GitHub Enterprise Server versions prior to 3.14, update to version 3.14.2, 3.13.5, 3.12.10, or 3.11.16 to resolve the issue. As a temporary workaround, consider restricting access to the uploaded asset URL to minimize the risk of exploitation. Avoid using malicious SVG files in the affected GitHub Enterprise Server until the issue is resolved.