Vulnerability Description
An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click on that uploaded asset URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.2, 3.13.5, 3.12.10, 3.11.16. This vulnerability was reported via the GitHub Bug Bounty program.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Github | Enterprise Server | < 3.11.16 |
Related Weaknesses (CWE)
References
- https://docs.github.com/en/[email protected]/admin/release-notes#3.11.16Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.12.10Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.13.5Release Notes
- https://docs.github.com/en/[email protected]/admin/release-notes#3.14.2Release Notes
FAQ
What is CVE-2024-9539?
CVE-2024-9539 is a vulnerability with a CVSS score of 4.3 (MEDIUM). An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the UR...
How severe is CVE-2024-9539?
CVE-2024-9539 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-9539?
Check the references section above for vendor advisories and patch information. Affected products include: Github Enterprise Server.