Vulnerability Details : CVE-2020-10516
An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21 and was fixed in 2.20.9, 2.19.15, and 2.18.20. This vulnerability was reported via the GitHub Bug Bounty program.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2020-10516
Probability of exploitation activity in the next 30 days: 0.23%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-10516
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-10516
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: product-cna@github.com (Secondary)
-
The product makes files or directories accessible to unauthorized actors, even though they should not be.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-10516
-
https://enterprise.github.com/releases/2.20.9/notes
GitHub Enterprise - The best way to build and ship softwareRelease Notes;Third Party Advisory
-
https://enterprise.github.com/releases/2.19.15/notes
GitHub Enterprise - The best way to build and ship softwareRelease Notes;Third Party Advisory
-
https://enterprise.github.com/releases/2.18.20/notes
GitHub Enterprise - The best way to build and ship softwareRelease Notes;Third Party Advisory
Products affected by CVE-2020-10516
- cpe:2.3:a:github:github:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:github:github:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:github:github:*:*:*:*:enterprise:*:*:*