Products
GitHub Enterprise Server
- 3.9.0 - 3.9.12
- 3.10.0 - 3.10.9
- 3.11.0 - 3.11.7
- 3.12.0
GitHub Enterprise Server
- before 3.9.13
- 3.9.13
- before 3.10.10
- 3.10.10
- before 3.11.8
- 3.11.8
- before 3.12.1
- 3.12.1
- 3.13
Source
product-cna@github.com
Tags
CVE-2024-2440 details
Last Modified : April 19, 2024, 6:29 p.m.
Description
A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.9.13, 3.10.10, 3.11.8 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Score
| 1 | 2 | 3 | 4 | 5.5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
Base Score
5.5
Exploitability Score
Impact Score
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L
References
| URL | Source |
|---|---|
| https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.10 | product-cna@github.com |
| https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.8 | product-cna@github.com |
| https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.2 | product-cna@github.com |
| https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.13 | product-cna@github.com |