CVE-2024-9539: 
GitHub Enterprise Server vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2024-9539) was identified in GitHub Enterprise Server that allows an attacker to retrieve metadata information of users who click on maliciously crafted URLs. The vulnerability was discovered through GitHub's Bug Bounty program and affects all versions of GitHub Enterprise Server prior to 3.14, with fixes released in versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16 (NVD, GitHub Release Notes).

The vulnerability involves an attacker uploading malicious SVG files and creating asset URLs that, when clicked by a victim user, expose their metadata information. The vulnerability has been assigned a CVSS v4.0 score of 5.7 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N, and a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

When exploited, the vulnerability allows attackers to retrieve metadata information from users who click on specially crafted URLs. This information could then be used to create convincing phishing pages, potentially leading to further security compromises (SecurityWeek).

GitHub has addressed this vulnerability by releasing patches in Enterprise Server versions 3.14.2, 3.13.5, 3.12.10, and 3.11.16. Organizations running affected versions of GitHub Enterprise Server are strongly advised to upgrade to the patched versions (GitHub Release Notes).