GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability.
References
Link | Resource |
---|---|
http://homakov.blogspot.com/2012/03/how-to.html | Issue Tracking |
http://lwn.net/Articles/488702/ | Third Party Advisory |
https://exchange.xforce.ibmcloud.com/vulnerabilities/74812 | Third Party Advisory VDB Entry |
https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation | Vendor Advisory |
Configurations
History
21 Jan 2024, 02:39
Type | Values Removed | Values Added |
---|---|---|
First Time |
Github github
|
|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
CPE | cpe:2.3:a:github:github:*:*:*:*:enterprise:*:*:* | |
CWE | CWE-913 | |
References | (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/74812 - Third Party Advisory, VDB Entry | |
References | (MISC) http://lwn.net/Articles/488702/ - Third Party Advisory | |
References | (MISC) http://homakov.blogspot.com/2012/03/how-to.html - Issue Tracking | |
References | (CONFIRM) https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation - Vendor Advisory |
Information
Published : 2012-04-05 14:55
Updated : 2024-02-28 12:00
NVD link : CVE-2012-2055
Mitre link : CVE-2012-2055
CVE.ORG link : CVE-2012-2055
JSON object : View
Products Affected
github
- github
CWE
CWE-913
Improper Control of Dynamically-Managed Code Resources