CVE-2024-6395 MEDIUM

CVE-2024-6395: GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Deploy Keys

Vendor Github
Product GitHub Enterprise Server
Weakness CWE-200 · Info exposure
Published July 16, 2024
Last update August 1, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:C/RE:L/U:Amber

What the vulnerability does

01Description

An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

July 16, 2024 CVE published
August 1, 2024 Record updated