{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9539", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2024-10-04T18:06:12.657Z", "datePublished": "2024-10-11T17:52:35.386Z", "dateUpdated": "2024-10-11T18:43:42.224Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "GitHub Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.14.2", "status": "unaffected"}], "lessThanOrEqual": "3.14.1", "status": "affected", "version": "3.14.0", "versionType": "semver"}, {"changes": [{"at": "3.13.5", "status": "unaffected"}], "lessThanOrEqual": "3.13.4", "status": "affected", "version": "3.13.0", "versionType": "semver"}, {"changes": [{"at": "3.12.10", "status": "unaffected"}], "lessThanOrEqual": "3.12.9", "status": "affected", "version": "3.12.0", "versionType": "semver"}, {"changes": [{"at": "3.11.16", "status": "unaffected"}], "lessThanOrEqual": "3.11.15", "status": "affected", "version": "3.11.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "P\u0103un Luca"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.</span></span><br>"}], "value": "An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2024-10-11T17:52:35.386Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2"}, {"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T18:43:33.374629Z", "id": "CVE-2024-9539", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T18:43:42.224Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9539", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2024-10-04T18:06:12.657Z", "datePublished": "2024-10-11T17:52:35.386Z", "dateUpdated": "2024-10-11T18:43:42.224Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "GitHub Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.14.2", "status": "unaffected"}], "lessThanOrEqual": "3.14.1", "status": "affected", "version": "3.14.0", "versionType": "semver"}, {"changes": [{"at": "3.13.5", "status": "unaffected"}], "lessThanOrEqual": "3.13.4", "status": "affected", "version": "3.13.0", "versionType": "semver"}, {"changes": [{"at": "3.12.10", "status": "unaffected"}], "lessThanOrEqual": "3.12.9", "status": "affected", "version": "3.12.0", "versionType": "semver"}, {"changes": [{"at": "3.11.16", "status": "unaffected"}], "lessThanOrEqual": "3.11.15", "status": "affected", "version": "3.11.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "P\u0103un Luca"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\">An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.</span></span><br>"}], "value": "An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 5.7, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2024-10-11T17:52:35.386Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2"}, {"url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5"}, {"url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9539", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-11T18:43:33.374629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T18:43:38.212Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E624875C-FCF2-4538-8F3E-D64183154275", "versionEndExcluding": "3.11.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F70645DE-4DC2-40CB-B425-4E002B302FDB", "versionEndExcluding": "3.12.10", "versionStartIncluding": "3.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B08CBD2C-6DA7-4C0F-9812-42933F51C003", "versionEndExcluding": "3.13.5", "versionStartIncluding": "3.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "59E74193-93FE-45FE-8C74-34EC30EEB03C", "versionEndExcluding": "3.14.2", "versionStartIncluding": "3.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en GitHub Enterprise Server a trav\u00e9s de una URL de un recurso cargado por un atacante, lo que le permite recuperar informaci\u00f3n de metadatos de un usuario que hace clic en la URL y explotarla para crear una p\u00e1gina de phishing convincente. Esto requer\u00eda que el atacante cargara archivos SVG maliciosos y enga\u00f1ara al usuario v\u00edctima para que hiciera clic en la URL del recurso cargado. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.14 y se corrigi\u00f3 en las versiones 3.14.2, 3.13.5, 3.12.10 y 3.11.16. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa de recompensas por errores de GitHub."}], "id": "CVE-2024-9539", "lastModified": "2024-11-15T17:15:06.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "NONE"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2024-10-11T18:15:08.887", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.16"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.10"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.5"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.2"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}