GitHub fixes critical Enterprise Server bug granting admin privileges
Fixed two moderately rated bugs
One of the other vulnerabilities fixed with the patch is CVE-2024-7711, which received a “medium” severity rating at a 5.3 CVSS score. The vulnerability is an incorrect authorization vulnerability allowing an attacker to update the title, assignees, and labels of any issue inside a public repository, according to GitHub.
CVE-2024-6337, the third vulnerability addressed in the releases, is another incorrect authorization vulnerability that can allow an attacker to disclose the issue contents from a private repository using a GitHub App with only contents: read and pull requests: write permissions.
“This (CVE-2024-6337) was only exploitable via user access token, and installation access tokens were not impacted,” GitHub added. The vulnerability received a CVSS rating of 5.9. This is the second time in three months that GitHub has been hit with a critical SAML authentication request forgery bug. In May, the GitHub Enterprise Server was affected by a critical 10-out-of-10 CVSS scorer that exposed GitHub enterprise customers to attackers getting admin privileges to business accounts.