CVE-2024-1482

{"id": "CVE-2024-1482", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-cna@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-02-14T20:15:45.690", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUB_TOKEN. To exploit this vulnerability, an attacker would need access to the Enterprise Server. This vulnerability affected all versions of GitHub Enterprise Server after 3.8 and prior to 3.12, and was fixed in versions 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.\n"}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de autorizaci\u00f3n incorrecta en GitHub Enterprise Server que permiti\u00f3 a un atacante crear nuevas sucursales en repositorios p\u00fablicos y ejecutar flujos de trabajo arbitrarios de GitHub Actions con permisos de GITHUB_TOKEN. Para aprovechar esta vulnerabilidad, un atacante necesitar\u00eda acceso al servidor empresarial. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server posteriores a la 3.8 y anteriores a la 3.12, y se solucion\u00f3 en las versiones 3.9.10, 3.10.7, 3.11.5. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty."}], "lastModified": "2025-01-23T19:53:54.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87AFBB5E-CCD3-4C54-8813-8D4ABF12C3E7", "versionEndExcluding": "3.9.10", "versionStartIncluding": "3.8.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB406BB2-7ABF-4A44-830F-7012CDB3D81D", "versionEndExcluding": "3.10.7", "versionStartIncluding": "3.10.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0529566C-AC2F-4385-93D7-578230AC453E", "versionEndExcluding": "3.11.5", "versionStartIncluding": "3.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "product-cna@github.com"}