CVE-2024-2748

A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker to execute unauthorized actions on behalf of an unsuspecting user. A mitigating factor is that user interaction is required. This vulnerability affected GitHub Enterprise Server 3.12.0 and was fixed in versions 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes/#3.12.1	Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes/#3.12.1	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:github:enterprise_server:3.12.0:*:*:*:*:*:*:*

History

02 Sep 2025, 14:07

Type	Values Removed	Values Added
CPE		cpe:2.3:a:github:enterprise_server:3.12.0:::::::*
First Time		Github Github enterprise Server
References	~~() https://docs.github.com/en/enterprise-server@3.12/admin/release-notes/#3.12.1 -~~	() https://docs.github.com/en/enterprise-server@3.12/admin/release-notes/#3.12.1 - Release Notes

Information

Published : 2024-03-21 00:15

Updated : 2025-09-02 14:07

NVD link : CVE-2024-2748

Mitre link : CVE-2024-2748

CVE.ORG link : CVE-2024-2748

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-2748", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-cna@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-03-21T00:15:09.710", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes/#3.12.1", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes/#3.12.1", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A Cross Site Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker to execute unauthorized actions on behalf of an unsuspecting user. A mitigating factor is that user interaction is required. This vulnerability affected GitHub Enterprise Server 3.12.0 and was fixed in versions 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.\u00a0\n"}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de Cross Site Request Forgery en GitHub Enterprise Server que permiti\u00f3 a un atacante ejecutar acciones no autorizadas en nombre de un usuario desprevenido. Un factor atenuante es que se requiere la interacci\u00f3n del usuario. Esta vulnerabilidad afect\u00f3 a GitHub Enterprise Server 3.12.0 y se solucion\u00f3 en las versiones 3.12.1. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty. "}], "lastModified": "2025-09-02T14:07:47.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:3.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F223B5B-5A33-4ADD-8AE0-258D208757C2"}], "operator": "OR"}]}], "sourceIdentifier": "product-cna@github.com"}