Cross Site Request Forgery was identified in GitHub Enterprise Server that allowed write in a user owned repository

CVE-2024-5815

6.5MEDIUM

Key Information

Vendor
Github
Status
Github Enterprise Server
Vendor
CVE Published:
16 July 2024

Summary

A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.

This vulnerability was reported via the GitHub Bug Bounty program.

Affected Version(s)

GitHub Enterprise Server <= 3.9.16

GitHub Enterprise Server <= 3.9.16

GitHub Enterprise Server <= 3.10.13

Refferences

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD DatabaseMitre Database

Credit

ahacker1
.