Internal Access to Sensitive Data via Personal Access Tokens
CVE-2024-10824

Currently unrated

Key Information:

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 7 November 2024

Summary

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed unauthorized internal users to access sensitive secret scanning alert data intended only for business owners. This issue could be exploited only by organization members with a personal access token (PAT) and required that secret scanning be enabled on user-owned repositories. This vulnerability affected GitHub Enterprise Server versions after 3.13.0 but prior to 3.14.0 and was fixed in version 3.13.2.

Affected Version(s)

Enterprise Server 3.13.0 <= 3.13.1

References

https://docs.github.com/en/[email protected]/admin/r...

release-notes

Timeline

Vulnerability published
Nov 7, 2024
Vulnerability Reserved
Nov 4, 2024