CVE-2024-6395: 
GitHub Enterprise Server vulnerability analysis and mitigation

An exposure of sensitive information vulnerability (CVE-2024-6395) was discovered in GitHub Enterprise Server that would allow an attacker to enumerate the names of private repositories that utilize deploy keys. The vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported through the GitHub Bug Bounty program (NVD).

The vulnerability is classified as an information exposure issue (CWE-200) that allows unauthorized access to private repository names, but not their contents. The CVSS v3.1 base score is 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and only impacts confidentiality (NVD).

The vulnerability only allowed attackers to view the names of private repositories that use deploy keys, without providing access to any other repository content. This could potentially expose information about an organization's private projects and internal structure (NVD).

GitHub has addressed this vulnerability by releasing fixes in multiple versions: 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. Organizations should upgrade their GitHub Enterprise Server installations to one of these patched versions to mitigate the vulnerability (NVD).