NVD

Vulnerability Change Records for CVE-2024-1908

Action	Type	New Value
Added	CVSS V3.1	GitHub, Inc. (Products Only) AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Added	CWE	GitHub, Inc. (Products Only) CWE-269
Added	Description	An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. An attacker would require an account on the server instance with non-default settings for GitHub Connect. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.16, 3.9.11, 3.10.8, and 3.11.6. This vulnerability was reported via the GitHub Bug Bounty program.
Added	Reference	GitHub, Inc. (Products Only) https://docs.github.com/en/enterprise-server@3.8/admin/release-notes/#3.8.16 [No types assigned]
Added	Reference	GitHub, Inc. (Products Only) https://docs.github.com/en/enterprise-server@3.9/admin/release-notes/#3.9.11 [No types assigned]
Added	Reference	GitHub, Inc. (Products Only) https://https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.8 [No types assigned]
Added	Reference	GitHub, Inc. (Products Only) https://https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16 [No types assigned]