CVE-2024-2440

Опубликовано: 19 апр. 2024

Источник: nvd

CVSS3: 5.5

CVSS3: 5.9

EPSS Низкий

Описание

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.9.13, 3.10.10, 3.11.8 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.

Ссылки

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.10
Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.8
Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.2
Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.13
Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.10
Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.8
Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.2
Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.13
Release Notes

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Версия до 3.9.13 (исключая)

cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Версия от 3.10.0 (включая) до 3.10.10 (исключая)

cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Версия от 3.11.0 (включая) до 3.11.8 (исключая)

cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Версия от 3.12.0 (включая) до 3.12.1 (исключая)

EPSS

Процентиль: 35%

0.00142

Низкий

5.5 Medium

CVSS3

5.9 Medium

CVSS3

Дефекты

CWE-367

Связанные уязвимости

GHSA-r76q-x459-hm6w

CVSS3: 5.5

github

почти 2 года назад

EPSS

Процентиль: 35%

0.00142

Низкий

5.5 Medium

CVSS3

5.9 Medium

CVSS3

Дефекты

CWE-367