GitHub Enterprise Server up to 3.13.0 Organization Member information disclosure

Summaryinfo

A vulnerability classified as problematic has been found in GitHub Enterprise Server up to 3.9.16/3.10.13/3.11.11/3.12.5/3.13.0. This vulnerability affects unknown code of the component Organization Member Handler. Performing a manipulation results in information disclosure. This vulnerability is known as CVE-2024-6336. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in GitHub Enterprise Server up to 3.9.16/3.10.13/3.11.11/3.12.5/3.13.0. It has been classified as problematic. This affects some unknown processing of the component Organization Member Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

The weakness was published by Omar El Latif. The advisory is shared at docs.github.com. This vulnerability is uniquely identified as CVE-2024-6336 since 06/25/2024. The exploitability is told to be easy. It is possible to initiate the attack remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1 or 3.14 eliminates this vulnerability.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Bug Tracking Software

Vendor

• GitHub

Name

• Enterprise Server

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.9.0
• 3.9.1
• 3.9.2
• 3.9.3
• 3.9.4
• 3.9.5
• 3.9.6
• 3.9.7
• 3.9.8
• 3.9.9
• 3.9.10
• 3.9.11
• 3.9.12
• 3.9.13
• 3.9.14
• 3.9.15
• 3.9.16
• 3.10
• 3.10.0
• 3.10.1
• 3.10.2
• 3.10.3
• 3.10.4
• 3.10.5
• 3.10.6
• 3.10.7
• 3.10.8
• 3.10.9
• 3.10.10
• 3.10.11
• 3.10.12
• 3.10.13
• 3.11
• 3.11.0
• 3.11.1
• 3.11.2
• 3.11.3
• 3.11.4
• 3.11.5
• 3.11.6
• 3.11.7
• 3.11.8
• 3.11.9
• 3.11.10
• 3.11.11
• 3.12
• 3.12.0
• 3.12.1
• 3.12.2
• 3.12.3
• 3.12.4
• 3.12.5
• 3.13.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion