CVE-2024-9539

MEDIUM

GitHub Enterprise Server < 3.11.16 - Information Disclosure via Malicious SVG Asset URL

Title source: llm

Description

An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.

References (4)

Core 4

Core References

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.11.16

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.12.10

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.13.5

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.14.2

Scores

CVSS v3 4.3

EPSS 0.0062

EPSS Percentile 44.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

github/enterprise_server < 3.11.16

Published Oct 11, 2024

Tracked Since Feb 18, 2026