Severity
Medium
Analysis Summary
CVE-2024-5815 CVSS:4.9
GitHub Enterprise Server are vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVE-2024-5566 CVSS:5.8
GitHub Enterprise Server could allow a remote authenticated attacker to obtain sensitive information, caused by an improper privilege management vulnerability. By sending a specially crafted request, a remote attacker could <exploit this vulnerability to migrate private repositories without having appropriate scopes defined on the related Personal Access Token.
CVE-2024-6395 CVSS:5.3
GitHub Enterprise Server could allow a remote attacker to obtain sensitive information. By sending a specially crafted request, a remote attacker could exploit this vulnerability to enumerate the names of private repositories.
Impact
- Gain Access
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-5815
- CVE-2024-5566
- CVE-2024-6395
Affected Vendors
Affected Products
- GitHub Enterprise Server 3.9.16
- GitHub GitHub Enterprise Server 3.10.13
Remediation
Upgrade to the latest version of GitHub, available from the GitHub Website.