CVE-2024-6336 – A security misconfiguration in GitHub Enterpris... (How to Fix)

Q: What is the severity of CVE-2024-6336?

CVE-2024-6336 has a CVSS score of 5.3 (MEDIUM). A security misconfiguration in GitHub Enterprise Server allowed unauthorized users to access sensitive information when an organization member changed a dependent repository from private to public. This vulnerability affected all GitHub Enterprise Server versions prior to 3.14, exposing potentially confidential data through the organization ruleset feature.

📋 TL;DR

A security misconfiguration in GitHub Enterprise Server allowed unauthorized users to access sensitive information when an organization member changed a dependent repository from private to public. This vulnerability affected all GitHub Enterprise Server versions prior to 3.14, exposing potentially confidential data through the organization ruleset feature.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions prior to 3.14

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires organization ruleset feature and a member changing repository visibility from private to public.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized disclosure of sensitive source code, credentials, or proprietary information from private repositories to external actors.

🟠

Likely Case

Accidental exposure of internal repositories when organization members change visibility settings, potentially revealing development secrets or internal tools.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring, though configuration errors could still lead to limited data exposure.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific user actions but could expose sensitive data to internet-accessible systems.

🏢 Internal Only: MEDIUM - Internal users could inadvertently expose sensitive repositories within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated organization member to change repository visibility, making it less likely for external attackers but still dangerous from insider threats.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.1, 3.12.6, 3.11.12, 3.10.14, 3.9.17

Vendor Advisory: https://docs.github.com/en/enterprise-server/admin/release-notes

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download appropriate patched version from GitHub Enterprise Server releases. 3. Follow upgrade procedures for your current version to target patched version. 4. Restart GitHub Enterprise Server services.

🔧 Temporary Workarounds

Restrict Repository Visibility Changes

all

Implement organization policies to restrict who can change repository visibility from private to public.

Audit Repository Visibility Settings

all

Regularly audit all repositories to ensure sensitive ones remain private and review visibility change logs.

🧯 If You Can't Patch

Implement strict access controls on who can modify repository visibility settings within organizations.
Enable comprehensive logging and monitoring of repository visibility changes and access patterns.

🔍 How to Verify

Check if Vulnerable:

Check GitHub Enterprise Server version via admin dashboard or SSH into instance and run 'ghe-version' command.

Check Version:

ssh admin@github-enterprise-instance 'ghe-version'

Verify Fix Applied:

Verify version is 3.13.1, 3.12.6, 3.11.12, 3.10.14, 3.9.17 or later, and test that changing repository visibility no longer exposes sensitive information.

📡 Detection & Monitoring

Log Indicators:

Repository visibility change events in audit logs
Unauthorized access attempts to newly public repositories

Network Indicators:

Unusual traffic patterns to previously private repository URLs

SIEM Query:

source="github_audit_log" event="repository.visibility_change" visibility="public"

📊 Metadata

CVE ID: CVE-2024-6336

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: July 16, 2024

Last Updated: November 21, 2024

🔗 References

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12 Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6 Release Notes
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17 Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.15 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.12 Release Notes
https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.6 Release Notes
https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.1 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.17 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6336, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Repository Visibility Changes

Audit Repository Visibility Settings

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities