PT-2025-29685 · Github · Github Enterprise Server
Published
2025-07-15
·
Updated
2025-08-27
·
CVE-2025-6981
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.18
GitHub Enterprise Server versions 3.14.15
GitHub Enterprise Server versions 3.15.10
GitHub Enterprise Server versions 3.16.6
GitHub Enterprise Server versions 3.17.3
Description
An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview.
Recommendations
Update to GitHub Enterprise Server version 3.14.15.
Update to GitHub Enterprise Server version 3.15.10.
Update to GitHub Enterprise Server version 3.16.6.
Update to GitHub Enterprise Server version 3.17.3.
Update to GitHub Enterprise Server version 3.18.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server