CVE-2012-2055

GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:github:github:*:*:*:*:enterprise:*:*:*

History

21 Nov 2024, 01:38

Type Values Removed Values Added
References () http://homakov.blogspot.com/2012/03/how-to.html - Issue Tracking () http://homakov.blogspot.com/2012/03/how-to.html - Issue Tracking
References () http://lwn.net/Articles/488702/ - Third Party Advisory () http://lwn.net/Articles/488702/ - Third Party Advisory
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/74812 - Third Party Advisory, VDB Entry () https://exchange.xforce.ibmcloud.com/vulnerabilities/74812 - Third Party Advisory, VDB Entry
References () https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation - Vendor Advisory () https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation - Vendor Advisory

21 Jan 2024, 02:39

Type Values Removed Values Added
First Time Github github
CVSS v2 : 5.0
v3 : unknown
v2 : 5.0
v3 : 7.5
CPE cpe:2.3:a:github:github_enterprise:*:*:*:*:*:*:*:* cpe:2.3:a:github:github:*:*:*:*:enterprise:*:*:*
CWE CWE-255 CWE-913
References (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/74812 - (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/74812 - Third Party Advisory, VDB Entry
References (MISC) http://lwn.net/Articles/488702/ - (MISC) http://lwn.net/Articles/488702/ - Third Party Advisory
References (MISC) http://homakov.blogspot.com/2012/03/how-to.html - Exploit (MISC) http://homakov.blogspot.com/2012/03/how-to.html - Issue Tracking
References (CONFIRM) https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation - (CONFIRM) https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation - Vendor Advisory

Information

Published : 2012-04-05 14:55

Updated : 2024-11-21 01:38


NVD link : CVE-2012-2055

Mitre link : CVE-2012-2055

CVE.ORG link : CVE-2012-2055


JSON object : View

Products Affected

github

  • github
CWE
CWE-913

Improper Control of Dynamically-Managed Code Resources