GitHub Enterprise Server up to 3.13.0 cross-site request forgery

Summaryinfo

A vulnerability was found in GitHub Enterprise Server up to 3.9.16/3.10.13/3.11.11/3.12.5/3.13.0 and classified as problematic. This affects an unknown function. Such manipulation leads to cross-site request forgery. This vulnerability is referenced as CVE-2024-5815. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in GitHub Enterprise Server up to 3.9.16/3.10.13/3.11.11/3.12.5/3.13.0. Affected by this issue is an unknown code. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is integrity. CVE summarizes:

A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

The weakness was published by Ahacker1. The advisory is available at docs.github.com. This vulnerability is handled as CVE-2024-5815 since 06/10/2024. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim. The technical details are unknown and an exploit is not available.

Upgrading to version 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1 or 3.14 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Bug Tracking Software

Vendor

• GitHub

Name

• Enterprise Server

Version

• 3.0
• 3.1
• 3.2
• 3.3
• 3.4
• 3.5
• 3.6
• 3.7
• 3.8
• 3.9
• 3.9.0
• 3.9.1
• 3.9.2
• 3.9.3
• 3.9.4
• 3.9.5
• 3.9.6
• 3.9.7
• 3.9.8
• 3.9.9
• 3.9.10
• 3.9.11
• 3.9.12
• 3.9.13
• 3.9.14
• 3.9.15
• 3.9.16
• 3.10
• 3.10.0
• 3.10.1
• 3.10.2
• 3.10.3
• 3.10.4
• 3.10.5
• 3.10.6
• 3.10.7
• 3.10.8
• 3.10.9
• 3.10.10
• 3.10.11
• 3.10.12
• 3.10.13
• 3.11
• 3.11.0
• 3.11.1
• 3.11.2
• 3.11.3
• 3.11.4
• 3.11.5
• 3.11.6
• 3.11.7
• 3.11.8
• 3.11.9
• 3.11.10
• 3.11.11
• 3.12
• 3.12.0
• 3.12.1
• 3.12.2
• 3.12.3
• 3.12.4
• 3.12.5
• 3.13.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion