CVE-2024-2440 Vulnerability Details

  /     /     /  

CVE-2024-2440 Metadata Quick Info

CVE Published: 19/04/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: GitHub_P | Vendor: GitHub | Product: Enterprise Server
Status : PUBLISHED

---

CVE-2024-2440 Description

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on a detached repository by making a GraphQL mutation to alter repository permissions while the repository is detached. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.13 and was fixed in versions 3.9.13, 3.10.10, 3.11.8 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program.

Metrics

CVSS Version: 3.1 | Base Score: 5.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* HIGH
    Availability Impact (A)* LOW

Weakness Enumeration (CWE)

CWE-ID: CWE-367
CWE Name: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Source: GitHub

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-29
CAPEC Description: CAPEC-29 Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions


Source: NVD (National Vulnerability Database).