An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. An attacker would require an account on the server instance with non-default settings for GitHub Connect. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.16, 3.9.11, 3.10.8, and 3.11.6. This vulnerability was reported via the GitHub Bug Bounty program. 


History

Tue, 02 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2024-08-05T15:06:12.570Z

Reserved: 2024-02-26T21:18:16.296Z

Link: CVE-2024-1908

cve-icon Vulnrichment

Updated: 2024-08-01T18:56:22.478Z

cve-icon NVD

Status : Analyzed

Published: 2024-03-21T02:51:48.760

Modified: 2025-09-02T13:46:35.067

Link: CVE-2024-1908

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T23:06:37Z