CVE-2024-8263 MEDIUM

CVE-2024-8263

Vendor Github
Product GitHub Enterprise Server
Weakness CWE-269
Published September 23, 2024
Last update September 23, 2024

CVSS base score

6.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N

What the vulnerability does

01Description

An improper privilege management vulnerability allowed arbitrary workflows to be committed using an improperly scoped PAT through the use of nested tags. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

September 23, 2024 CVE published
September 23, 2024 Record updated