{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7711", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2024-08-12T18:11:15.883Z", "datePublished": "2024-08-20T19:17:37.776Z", "dateUpdated": "2024-08-20T19:46:55.283Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "GitHub Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.11.14", "status": "unaffected"}], "lessThanOrEqual": "3.11.13", "status": "affected", "version": "3.11.0", "versionType": "semver"}, {"changes": [{"at": "3.12.8", "status": "unaffected"}], "lessThanOrEqual": "3.12.7", "status": "affected", "version": "3.12.0", "versionType": "semver"}, {"changes": [{"at": "3.13.3", "status": "unaffected"}], "lessThanOrEqual": "3.13.2", "status": "affected", "version": "3.13.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "ahacker1"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program."}], "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2024-08-20T19:17:37.776Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-20T19:46:19.440056Z", "id": "CVE-2024-7711", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T19:46:55.283Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7711", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-20T19:46:19.440056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-20T19:46:52.845Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "ahacker1"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GitHub", "product": "GitHub Enterprise Server", "versions": [{"status": "affected", "changes": [{"at": "3.11.14", "status": "unaffected"}], "version": "3.11.0", "versionType": "semver", "lessThanOrEqual": "3.11.13"}, {"status": "affected", "changes": [{"at": "3.12.8", "status": "unaffected"}], "version": "3.12.0", "versionType": "semver", "lessThanOrEqual": "3.12.7"}, {"status": "affected", "changes": [{"at": "3.13.3", "status": "unaffected"}], "version": "3.13.0", "versionType": "semver", "lessThanOrEqual": "3.13.2"}], "defaultStatus": "affected"}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program.", "supportingMedia": [{"type": "text/html", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2024-08-20T19:17:37.776Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7711", "state": "PUBLISHED", "dateUpdated": "2024-08-20T19:46:55.283Z", "dateReserved": "2024-08-12T18:11:15.883Z", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "datePublished": "2024-08-20T19:17:37.776Z", "assignerShortName": "GitHub_P"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6ECADA51-1495-4D35-B7C0-6ADED7EDD26D", "versionEndExcluding": "3.11.14", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C305C7E-C6A2-42F2-A910-203B74C71128", "versionEndExcluding": "3.12.8", "versionStartIncluding": "3.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A51D9A9-389E-469F-B17C-F5B7CCEEC498", "versionEndExcluding": "3.13.3", "versionStartIncluding": "3.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3.12.8, and 3.11.14. Versions 3.10 of GitHub Enterprise Server are not affected. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de autorizaci\u00f3n incorrecta en GitHub Enterprise Server, lo que permite a un atacante actualizar el t\u00edtulo, los asignatarios y las etiquetas de cualquier problema dentro de un repositorio p\u00fablico. Esto s\u00f3lo era explotable dentro de un repositorio p\u00fablico. Esta vulnerabilidad afect\u00f3 a las versiones de GitHub Enterprise Server anteriores a la 3.14 y se solucion\u00f3 en las versiones 3.13.3, 3.12.8 y 3.11.14. Las versiones 3.10 de GitHub Enterprise Server no se ven afectadas. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty."}], "id": "CVE-2024-7711", "lastModified": "2024-09-27T18:17:05.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "YES", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "recovery": "USER", "safety": "NEGLIGIBLE", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2024-08-20T20:15:10.173", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}