CVE-2024-9539

Published Oct 11, 2024

Last updated 2 days ago

CVSS medium 5.7

Overview

Description
An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.
Source
product-cna@github.com
NVD status
Analyzed

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
4.3
Impact score
1.4
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo
product-cna@github.com
CWE-200

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2024-10007 (Published: 2024-11-07) - High severity vulnerability in GitHub Enterprise Server v3.14.3. Affects multiple CVEs: CVE-2024-0487, CVE-2024-9539, CVE-2024-8810, CVE-2024-8770. Remediation: Update to the latest version to mitigate risks. More info:… https://t.co/bl

    @transilienceai

    11 Nov 2024

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References