CVE-2024-6337

Incorrect Authorization allows read access to issues in GitHub Enterprise Server

Description

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14 and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.

References

Link	Tags
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.16	release notes vendor advisory
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14	release notes vendor advisory
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8	release notes vendor advisory
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3	release notes vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-6337?: CVE-2024-6337 has been scored as a medium severity vulnerability.
How to fix CVE-2024-6337?: To fix CVE-2024-6337, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-6337 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-6337 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-6337?: CVE-2024-6337 affects GitHub GitHub Enterprise Server.

Description

Category

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions