GitHub recently addressed and fixed two moderately rated bugs in their system. The vulnerabilities, identified as CVE-2024-7711 and CVE-2024-6337, were both related to incorrect authorization vulnerabilities within the GitHub platform.
CVE-2024-7711, which received a “medium” severity rating with a 5.3 CVSS score, allowed attackers to update the title, assignees, and labels of any issue within a public repository. This vulnerability posed a potential risk to the integrity of the data stored in GitHub repositories.
On the other hand, CVE-2024-6337, the third vulnerability addressed in the recent patch, also involved an incorrect authorization vulnerability. This bug could enable an attacker to view the contents of an issue from a private repository using a GitHub App with specific permissions. GitHub highlighted that this vulnerability was only exploitable via user access tokens, and installation access tokens were not affected. With a CVSS rating of 5.9, CVE-2024-6337 presented a significant security concern for GitHub users.
It is worth noting that this is not the first time GitHub has encountered critical security issues. In a similar incident earlier this year in May, the GitHub Enterprise Server was impacted by a critical SAML authentication request forgery bug, identified as CVE-2024-4985. This bug, with a perfect 10-out-of-10 CVSS score, allowed attackers to gain admin privileges to business accounts, exposing GitHub enterprise customers to potential security breaches.
GitHub has been vigilant in addressing security vulnerabilities within its platform, swiftly releasing patches to fix these issues and protect user data. By promptly addressing and fixing these moderately rated bugs, GitHub has demonstrated its commitment to ensuring the security and integrity of its platform for its vast user base.
Overall, these recent security updates from GitHub serve as a reminder of the importance of continuously monitoring and addressing vulnerabilities to safeguard against potential cyber threats. Users are encouraged to stay informed about security updates and best practices to enhance their online security posture in an ever-evolving digital landscape.