CVE-2025-3124 MEDIUM

CVE-2025-3124: Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized access to private repository names

Vendor Github
Product Enterprise Server
Weakness CWE-862 · Missing authorization
Published April 17, 2025
Last update April 18, 2025
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed a user to see the names of private repositories that they wouldn't otherwise have access to in the Security Overview in GitHub Advanced Security. The Security Overview was required to be filtered only using the `archived:` filter and all other access controls were functioning normally. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.17 and was fixed in versions 3.13.14, 3.14.11, 3.15.6, and 3.16.2.

Key dates

02Disclosure timeline

April 17, 2025 CVE published
April 18, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-69363 WordPress Responsive Addons for Elementor plugin <= 2.0.8 - Broken Access Control vulnerability CVE-2025-49431 WordPress MF Plus WPML plugin <= 1.1 - Settings Change Vulnerability CVE-2023-49817 WordPress Flexible Woocommerce Checkout Field Editor plugin <= 2.0.1 - Broken Access Control vulnerability CVE-2025-53340 WordPress Awesome Support plugin <= 6.3.6 - Sensitive Data Exposure vulnerability CVE-2023-32117 WordPress Integrate Google Drive plugin <= 1.1.99 - Unauthenticated Broken Access Control vulnerability