CVE-2024-9539

An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16	Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10	Release Notes
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5	Release Notes
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::

History

15 Nov 2024, 17:15

Type	Values Removed	Values Added
References	~~() https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16 -~~	() https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10 -~~	() https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5 -~~	() https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2 -~~	() https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
First Time		Github enterprise Server Github
CPE		cpe:2.3:a:github:enterprise_server::::::::
CWE		NVD-CWE-noinfo

15 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Se identificó una vulnerabilidad de divulgación de información en GitHub Enterprise Server a través de una URL de un recurso cargado por un atacante, lo que le permite recuperar información de metadatos de un usuario que hace clic en la URL y explotarla para crear una página de phishing convincente. Esto requería que el atacante cargara archivos SVG maliciosos y engañara al usuario víctima para que hiciera clic en la URL del recurso cargado. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server anteriores a la 3.14 y se corrigió en las versiones 3.14.2, 3.13.5, 3.12.10 y 3.11.16. Esta vulnerabilidad se informó a través del programa de recompensas por errores de GitHub.

11 Oct 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-11 18:15

Updated : 2024-11-15 17:15

NVD link : CVE-2024-9539

Mitre link : CVE-2024-9539

CVE.ORG link : CVE-2024-9539

JSON object : View

Products Affected

github

enterprise_server

CWE

NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4.3 /10