GitHub Enterprise Server Vulnerability: Information Disclosure through Phishing
CVE-2024-9539

4.3MEDIUM

Key Information:

Vendor
Github
Status
Github Enterprise Server
Vendor
CVE Published:
11 October 2024

Summary

An information disclosure vulnerability exists in GitHub Enterprise Server that allows an attacker to exploit uploaded asset URLs to retrieve user metadata. By leveraging malicious SVG files, the attacker can craft a convincing phishing scheme, which relies on a victim user clicking an asset URL that the attacker has uploaded. This vulnerability impacts all versions of GitHub Enterprise Server before 3.14 and was mitigated in subsequent patches. The issue was reported through the GitHub Bug Bounty program, highlighting the importance of prompt updates and secure coding practices.

Affected Version(s)

GitHub Enterprise Server 3.14.0 <= 3.14.1

GitHub Enterprise Server 3.14.0 <= 3.14.1

GitHub Enterprise Server 3.13.0 <= 3.13.4

References

https://docs.github.com/en/[email protected]/admin/r...
https://docs.github.com/en/[email protected]/admin/r...
https://docs.github.com/en/[email protected]/admin/r...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Păun Luca
.