CVE-2024-6336

A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS

No CVSS.

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-16 22:15

Updated : 2024-07-17 13:34

NVD link : CVE-2024-6336

Mitre link : CVE-2024-6336

CVE.ORG link : CVE-2024-6336

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2024-6336", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "product-cna@github.com", "cvssData": {"safety": "NEGLIGIBLE", "version": "4.0", "recovery": "USER", "baseScore": 6.9, "automatable": "NO", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:X/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-16T22:15:05.983", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1", "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17", "source": "product-cna@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Una vulnerabilidad de configuraci\u00f3n incorrecta de seguridad en GitHub Enterprise Server permiti\u00f3 la divulgaci\u00f3n de informaci\u00f3n confidencial a usuarios no autorizados en GitHub Enterprise Server mediante la explotaci\u00f3n de la funci\u00f3n de conjunto de reglas de la organizaci\u00f3n. Este ataque requiri\u00f3 que un miembro de la organizaci\u00f3n cambiara expl\u00edcitamente la visibilidad de un repositorio dependiente de privado a p\u00fablico. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.14 y se solucion\u00f3 en las versiones 3.13.1, 3.12.6, 3.11.12, 3.10.14 y 3.9.17. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty."}], "lastModified": "2024-07-17T13:34:20.520", "sourceIdentifier": "product-cna@github.com"}