Impact
The vulnerability allows an authenticated user to read source code from private repositories they were not explicitly granted access to. It is a missing authorization flaw that enables the rendering of a diff summary across repositories without checking permissions on the target repository. The impact is the disclosure of confidential code, potentially compromising intellectual property or proprietary logic.
Affected Systems
GitHub Enterprise Server versions prior to 3.21 are affected. The issue was corrected in 3.17.17, 3.18.11, 3.19.8, and 3.20.4, so any instance running a version before 3.21 is vulnerable if not updated.
Risk and Exploitability
The CVSS score of 6.0 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploit activity yet. An attacker must have an authenticated account with read access to at least one repository to try the exploit, so the attack vector is through legitimate user access rather than unauthenticated external entry. The lack of extensive public exploitation data reduces the current threat level but still warrants remediation.
OpenCVE Enrichment