Description
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in versions 2.21.6, 2.20.15, and 2.19.21. This vulnerability was reported via the GitHub Bug Bounty program.
References (3)
Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://enterprise.github.com/releases/2.19.21/notes
Release Notes, Vendor Advisory x_refsource_misc
https://enterprise.github.com/releases/2.20.15/notes
Release Notes, Vendor Advisory x_refsource_misc
https://enterprise.github.com/releases/2.21.6/notes
Scores
CVSS v3
4.3
EPSS
0.0105
EPSS Percentile
59.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-285
Status
published
Products (1)
github/github
< 2.19.21
Published
Aug 27, 2020
Tracked Since
Feb 18, 2026