CVE-2024-5815

A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. vulnerability affected all versions of GitHub Enterprise Server prior 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:3.13.0:*:*:*:*:*:*:*

History

21 Nov 2024, 09:48

Type Values Removed Values Added
References () https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17 - Release Notes () https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.10.14 - Release Notes () https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.10.14 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.11.12 - Release Notes () https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.11.12 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.12.6 - Release Notes () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.12.6 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1 - Release Notes () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1 - Release Notes

17 Sep 2024, 16:26

Type Values Removed Values Added
First Time Github
Github enterprise Server
CPE cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:3.13.0:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
Summary
  • (es) Una vulnerabilidad de Cross-Site Request Forgery en GitHub Enterprise Server permitió operaciones de escritura en un repositorio propiedad de la víctima explotando tipos de solicitudes incorrectos. Un factor atenuante es que el atacante tendría que ser un usuario confiable de GitHub Enterprise Server y la víctima tendría que visitar una etiqueta en la bifurcación del atacante en su propio repositorio. La vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server anteriores a la 3.14 y se solucionó en las versiones 3.13.1, 3.12.6, 3.11.12, 3.10.14 y 3.9.17. Esta vulnerabilidad se informó a través del programa GitHub Bug Bounty.
References () https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17 - () https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.10.14 - () https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.10.14 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.11.12 - () https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.11.12 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.12.6 - () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.12.6 - Release Notes
References () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1 - () https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1 - Release Notes

16 Jul 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-16 22:15

Updated : 2024-11-21 09:48


NVD link : CVE-2024-5815

Mitre link : CVE-2024-5815

CVE.ORG link : CVE-2024-5815


JSON object : View

Products Affected

github

  • enterprise_server
CWE
CWE-352

Cross-Site Request Forgery (CSRF)