Required CVE Record Information
Description
A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
CVSS 1 Total
| Score | Severity | Version | Vector String |
|---|---|---|---|
| 3.9 | LOW | 3.1 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L |
Credits
- inspector-ambitious finder
References 4 Total
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 4 Total
- https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 x_transferred
- https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 x_transferred
- https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 x_transferred
- https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 x_transferred