{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1082", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2024-01-30T19:17:02.516Z", "datePublished": "2024-02-13T18:47:10.591Z", "dateUpdated": "2025-05-09T18:16:58.580Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.8.15", "status": "unaffected"}], "lessThan": "3.8.15", "status": "affected", "version": "3.8.0", "versionType": "semver"}, {"changes": [{"at": "3.9.10", "status": "unaffected"}], "lessThan": "3.9.10", "status": "affected", "version": "3.9.0", "versionType": "semver"}, {"changes": [{"at": "3.10.7", "status": "unaffected"}], "lessThan": "3.10.7", "status": "affected", "version": "3.10.0", "versionType": "semver"}, {"changes": [{"at": "3.11.5", "status": "unaffected"}], "lessThan": "3.11.5", "status": "affected", "version": "3.11.0", "versionType": "semver"}, {"status": "unaffected", "version": "3.12"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "yvvdwf"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball</span>. <span style=\"background-color: rgb(255, 255, 255);\">To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance</span>. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.15, 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.<br>"}], "value": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an\u00a0attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.15, 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.\n"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2024-02-28T15:39:56.533Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10"}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5"}], "source": {"discovery": "EXTERNAL"}, "title": "Path traversal vulnerability in GitHub Enterprise Server that allowed arbitrary file read with a specially crafted GitHub Pages artifact upload", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.498Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T15:49:38.645692Z", "id": "CVE-2024-1082", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T18:16:58.580Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1082", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2024-01-30T19:17:02.516Z", "datePublished": "2024-02-13T18:47:10.591Z", "dateUpdated": "2025-05-09T18:16:58.580Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.8.15", "status": "unaffected"}], "lessThan": "3.8.15", "status": "affected", "version": "3.8.0", "versionType": "semver"}, {"changes": [{"at": "3.9.10", "status": "unaffected"}], "lessThan": "3.9.10", "status": "affected", "version": "3.9.0", "versionType": "semver"}, {"changes": [{"at": "3.10.7", "status": "unaffected"}], "lessThan": "3.10.7", "status": "affected", "version": "3.10.0", "versionType": "semver"}, {"changes": [{"at": "3.11.5", "status": "unaffected"}], "lessThan": "3.11.5", "status": "affected", "version": "3.11.0", "versionType": "semver"}, {"status": "unaffected", "version": "3.12"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "yvvdwf"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball</span>. <span style=\"background-color: rgb(255, 255, 255);\">To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance</span>. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.15, 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.<br>"}], "value": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an\u00a0attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.15, 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.\n"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2024-02-28T15:39:56.533Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10"}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5"}], "source": {"discovery": "EXTERNAL"}, "title": "Path traversal vulnerability in GitHub Enterprise Server that allowed arbitrary file read with a specially crafted GitHub Pages artifact upload", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.498Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1082", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T15:49:38.645692Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T15:49:40.305Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC6BA1DD-5194-4738-B23D-07FCEAFFB3DF", "versionEndExcluding": "3.8.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C3BDFFD-8A83-4D52-8A6E-B87B8070A046", "versionEndExcluding": "3.9.10", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB406BB2-7ABF-4A44-830F-7012CDB3D81D", "versionEndExcluding": "3.10.7", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "0529566C-AC2F-4385-93D7-578230AC453E", "versionEndExcluding": "3.11.5", "versionStartIncluding": "3.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an\u00a0attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.15, 3.9.10, 3.10.7, 3.11.5. This vulnerability was reported via the GitHub Bug Bounty program.\n"}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de path traversal en GitHub Enterprise Server que permiti\u00f3 a un atacante obtener permiso de lectura no autorizado de archivos mediante la implementaci\u00f3n de enlaces simb\u00f3licos arbitrarios a un sitio de GitHub Pages con un archivo tar de artefacto especialmente manipulado. Para explotar esta vulnerabilidad, un atacante necesitar\u00eda permiso para crear y construir un sitio de p\u00e1ginas de GitHub en la instancia de GitHub Enterprise Server. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server anteriores a la 3.12 y se solucion\u00f3 en las versiones 3.8.15, 3.9.10, 3.10.7, 3.11.5. Esta vulnerabilidad se inform\u00f3 a trav\u00e9s del programa GitHub Bug Bounty."}], "id": "CVE-2024-1082", "lastModified": "2024-11-21T08:49:45.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "product-cna@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-13T19:15:08.793", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15"}, {"source": "product-cna@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "product-cna@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}