CVE-2024-5816: Improper authorization allows persistent access in GitHub Enterprise Server
First published: Tue Jul 16 2024(Updated: )
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.9.17, 3.10.14, 3.11.12, 3.12.6, 3.13.1. This vulnerability was reported via the GitHub Bug Bounty program.
Credit: product-cna@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitHub Enterprise | >=3.9.0<3.9.17 | |
| GitHub Enterprise | >=3.10.0<3.10.14 | |
| GitHub Enterprise | >=3.11.0<3.11.12 | |
| GitHub Enterprise | >=3.12.0<3.12.6 | |
| GitHub Enterprise | =3.13.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.9.17
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17
Frequently Asked Questions
What is the severity of CVE-2024-5816?
The severity of CVE-2024-5816 is classified as high due to the risk of unauthorized access to repositories.
How do I fix CVE-2024-5816?
To fix CVE-2024-5816, it is recommended to update GitHub Enterprise Server to version 3.10.15 or later, 3.11.12 or later, 3.12.6 or later, or version 3.13.0.
Which versions of GitHub Enterprise Server are affected by CVE-2024-5816?
CVE-2024-5816 affects GitHub Enterprise Server versions 3.9.0 to 3.9.17, 3.10.0 to 3.10.14, 3.11.0 to 3.11.12, 3.12.0 to 3.12.6, and 3.13.0.
Is my private repository vulnerable to CVE-2024-5816?
No, private repositories are not impacted by CVE-2024-5816; the vulnerability only affects public repositories.
What type of vulnerability is CVE-2024-5816?
CVE-2024-5816 is an Incorrect Authorization vulnerability that allows a suspended GitHub App to retain access through a scoped user access token.
- agent/weakness
- agent/references
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/github
- canonical/github enterprise
- version/github enterprise/3.9.0
- version/github enterprise/3.10.0
- version/github enterprise/3.11.0
- version/github enterprise/3.12.0
- version/github enterprise/3.13.0