Furbreeze
·
Published
2025-08-26
·
Updated
2025-08-26
·
CVE-2025-8447
7.0
High
| Base vector | Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
GitHub Enterprise Server versions prior to 3.18
GitHub Enterprise Server versions 3.14.17
GitHub Enterprise Server versions 3.15.12
GitHub Enterprise Server versions 3.16.8
GitHub Enterprise Server versions 3.17.5
Description:
An improper access control issue was identified in GitHub Enterprise Server that allowed users with repository access to retrieve limited code content from other repositories. An attacker needed to know the name of a private repository, along with its branches, tags, or commit SHAs, to trigger compare/diff functionality and retrieve code without authorization.
Recommendations:
Update to GitHub Enterprise Server version 3.14.17.
Update to GitHub Enterprise Server version 3.15.12.
Update to GitHub Enterprise Server version 3.16.8.
Update to GitHub Enterprise Server version 3.17.5.
Update to GitHub Enterprise Server version 3.18.
Fix
IDOR