CVE-2024-1082: 
GitHub Enterprise Server vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2024-1082) was identified in GitHub Enterprise Server that allowed an attacker to gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. The vulnerability was discovered and reported via the GitHub Bug Bounty program and affected all versions of GitHub Enterprise Server prior to 3.12 (NVD).

The vulnerability is classified as a path traversal issue (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). It has a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high confidentiality impact (NVD).

The vulnerability allows attackers to gain unauthorized read access to files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance (NVD).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.8.15, 3.9.10, 3.10.7, and 3.11.5. Users are advised to upgrade to these patched versions or later to mitigate the vulnerability (GitHub Release Notes).