{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-6395","assignerOrgId":"82327ea3-741d-41e4-88f8-2cf9e791e760","state":"PUBLISHED","assignerShortName":"GitHub_P","dateReserved":"2024-06-27T17:43:52.407Z","datePublished":"2024-07-16T21:27:10.901Z","dateUpdated":"2024-08-01T21:41:03.389Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","product":"GitHub Enterprise Server","vendor":"GitHub","versions":[{"changes":[{"at":"3.10.14","status":"unaffected"}],"lessThanOrEqual":"3.10.13","status":"affected","version":"3.10.0","versionType":"semver"},{"changes":[{"at":"3.11.12","status":"unaffected"}],"lessThanOrEqual":"3.11.11","status":"affected","version":"3.11.0","versionType":"semver"},{"changes":[{"at":"3.12.6","status":"unaffected"}],"lessThanOrEqual":"3.12.5","status":"affected","version":"3.12.0","versionType":"semver"},{"changes":[{"at":"3.13.1","status":"unaffected"}],"lessThanOrEqual":"3.13.0","status":"affected","version":"3.13","versionType":"semver"},{"changes":[{"at":"3.9.17","status":"unaffected"}],"lessThanOrEqual":"3.9.16","status":"affected","version":"3.9.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"ahacker1"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. <span style=\"background-color: rgb(252, 252, 252);\">This vulnerability did not allow unauthorized access to any repository content besides the name. <span style=\"background-color: rgb(252, 252, 252);\">This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program.</span></span><br>"}],"value":"An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program."}],"impacts":[{"capecId":"CAPEC-261","descriptions":[{"lang":"en","value":"CAPEC-261 Fuzzing for garnering other adjacent user/sensitive data"}]}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"NOT_DEFINED","Safety":"NEGLIGIBLE","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":6.3,"baseSeverity":"MEDIUM","privilegesRequired":"NONE","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/AU:Y/V:C/RE:L/U:Amber","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"LOW"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"82327ea3-741d-41e4-88f8-2cf9e791e760","shortName":"GitHub_P","dateUpdated":"2024-07-16T21:27:10.901Z"},"references":[{"url":"https://help.github.com/enterprise-server@3.10/admin/release-notes#3.10.15"},{"url":"https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12"},{"url":"https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6"},{"url":"https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1"},{"url":"https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17"}],"source":{"discovery":"UNKNOWN"},"title":"GitHub Enterprise Server Information Disclosure Vulnerability Exposes Private Repository Names via Deploy Keys","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-07-17T14:16:45.561581Z","id":"CVE-2024-6395","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-17T14:16:58.488Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T21:41:03.389Z"},"title":"CVE Program Container","references":[{"url":"https://help.github.com/enterprise-server@3.10/admin/release-notes#3.10.15","tags":["x_transferred"]},{"url":"https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12","tags":["x_transferred"]},{"url":"https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6","tags":["x_transferred"]},{"url":"https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1","tags":["x_transferred"]},{"url":"https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17","tags":["x_transferred"]}]}]}}