7.2

CVE-2024-3470

EPSS 0.04%
Published 19.04.2024 15:15:51
Last modified 02.09.2025 19:12:13
Source product-cna@github.com
CVE-Watchlists
Login
Open
Login

An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use a deploy key pertaining to an organization to bypass an organization ruleset. An attacker would require access to a valid deploy key for a repository in the organization as well as repository administrator access. This vulnerability affected versions of GitHub Enterprise Server 3.11 to 3.12 and was fixed in versions 3.11.8 and 3.12.2. This vulnerability was reported via the GitHub Bug Bounty program.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Github ≫ Enterprise Server Version >= 3.11.0 < 3.11.8

Github ≫ Enterprise Server Version >= 3.12.0 < 3.12.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.04%	0.125

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
product-cna@github.com	5.9	0.7	5.2	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.8

Release Notes

https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.2

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2024-3470

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3470

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3470

EUVD