Internal Access to Sensitive Data via Personal Access Tokens

CVE-2024-10824

Currently unrated 🤨

Key Information

Vendor: Github
Status: Enterprise Server
Vendor: CVE Published:; 7 November 2024

Summary

An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed unauthorized internal users to access sensitive secret scanning alert data intended only for business owners. This issue could be exploited only by organization members with a personal access token (PAT) and required that secret scanning be enabled on user-owned repositories. This vulnerability affected GitHub Enterprise Server versions after 3.13.0 but prior to 3.14.0 and was fixed in version 3.13.2.

Affected Version(s)

Enterprise Server <= 3.13.1

Refferences

https://docs.github.com/en/[email protected]/admin/r...

release-notes

Timeline

Vulnerability published
Nov 7, 2024
Vulnerability Reserved
Nov 4, 2024

Collectors

NVD DatabaseMitre Database