CVE-2024-1482

EPSS 0.08%
Veröffentlicht 14.02.2024 20:15:45
Zuletzt bearbeitet 23.01.2025 19:53:54
Quelle product-cna@github.com
CVE-Watchlists
Login
Unerledigt
Login

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Github ≫ Enterprise Server Version >= 3.8.0 < 3.9.10

Github ≫ Enterprise Server Version >= 3.10.0 < 3.10.7

Github ≫ Enterprise Server Version >= 3.11.0 < 3.11.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.251

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
product-cna@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7

Release Notes

https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5

Release Notes

https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2024-1482

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1482

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1482

EUVD