CVE-2024-6336: Security misconfiguration was identified in GitHub Enterprise Server that allowed sensitive data exposure
First published: Tue Jul 16 2024(Updated: )
A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.
Credit: product-cna@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitHub Enterprise | >=3.9.0<3.9.17 | |
| GitHub Enterprise | >=3.10.0<3.10.14 | |
| GitHub Enterprise | >=3.11.0<3.11.12 | |
| GitHub Enterprise | >=3.12.0<3.12.6 | |
| GitHub Enterprise | =3.13.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12
- https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6
- https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17
Frequently Asked Questions
What is the severity of CVE-2024-6336?
The severity of CVE-2024-6336 is classified as high due to its potential for unauthorized sensitive information disclosure.
How do I fix CVE-2024-6336?
To fix CVE-2024-6336, update GitHub Enterprise Server to the latest version that addresses this vulnerability.
What versions of GitHub Enterprise Server are affected by CVE-2024-6336?
CVE-2024-6336 affects GitHub Enterprise Server versions 3.9.0 through 3.9.17, 3.10.0 through 3.10.14, 3.11.0 through 3.11.12, and 3.12.0 through 3.12.6.
Can CVE-2024-6336 affect all users of GitHub Enterprise Server?
CVE-2024-6336 specifically allows sensitive information disclosure only to unauthorized users who are organization members.
What is the primary cause of the CVE-2024-6336 vulnerability?
The primary cause of CVE-2024-6336 is a security misconfiguration related to the organization ruleset feature in GitHub Enterprise Server.
- agent/weakness
- agent/references
- agent/title
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/github
- canonical/github enterprise
- version/github enterprise/3.9.0
- version/github enterprise/3.10.0
- version/github enterprise/3.11.0
- version/github enterprise/3.12.0
- version/github enterprise/3.13.0