// For flags

CVE-2024-8810

Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed GitHub Apps to grant themselves write access

Severity Score

8.7
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.14.1, 3.13.4, 3.12.9, 3.11.15, and 3.10.17. This vulnerability was reported via the GitHub Bug Bounty program.

*Credits: ahacker1
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
High
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
High
High
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
High
User Interaction
Active
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
High
High
Availability
High
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2024-09-13 CVE Reserved
  • 2024-11-07 CVE Published
  • 2024-11-08 CVE Updated
  • 2024-11-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-269: Improper Privilege Management
CAPEC
  • CAPEC-233: Privilege Escalation
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
GitHub
Search vendor "GitHub"
Enterprise Server
Search vendor "GitHub" for product "Enterprise Server"
>= 3.10.0 <= 3.10.16
Search vendor "GitHub" for product "Enterprise Server" and version " >= 3.10.0 <= 3.10.16"
en
Affected
GitHub
Search vendor "GitHub"
Enterprise Server
Search vendor "GitHub" for product "Enterprise Server"
>= 3.11.0 <= 3.11.14
Search vendor "GitHub" for product "Enterprise Server" and version " >= 3.11.0 <= 3.11.14"
en
Affected
GitHub
Search vendor "GitHub"
Enterprise Server
Search vendor "GitHub" for product "Enterprise Server"
>= 3.12.0 <= 3.12.8
Search vendor "GitHub" for product "Enterprise Server" and version " >= 3.12.0 <= 3.12.8"
en
Affected
GitHub
Search vendor "GitHub"
Enterprise Server
Search vendor "GitHub" for product "Enterprise Server"
>= 3.13.0 <= 3.13.3
Search vendor "GitHub" for product "Enterprise Server" and version " >= 3.13.0 <= 3.13.3"
en
Affected
GitHub
Search vendor "GitHub"
Enterprise Server
Search vendor "GitHub" for product "Enterprise Server"
3.14.0
Search vendor "GitHub" for product "Enterprise Server" and version "3.14.0"
en
Affected