Volerion logoVolerion
Volerion logoVolerion

GitHub Enterprise Server Incorrect Authorization Vulnerability in Contractors API

Vulnerability

A vulnerability allowing unauthorized read access to internal repository contents for contractor accounts has been identified in GitHub Enterprise Server. This issue arises when the Contractors API feature, which is in private preview, is enabled. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.18. The root cause is a lack of proper authorization checks, which has been addressed in the patched versions. Exploitation of this vulnerability could lead to unauthorized access to sensitive repository information.

Impact

Exploitation of this vulnerability could result in unauthorized access to internal repository contents, potentially exposing sensitive information.

Remediation

To address this vulnerability, GitHub Enterprise Server instances should be updated to version 3.14.15, 3.15.10, 3.16.6, or 3.17.3.

Added: Jul 15, 2025, 11:44 PM
Updated: Jul 15, 2025, 11:44 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
2.5
exploitability
7.4
remediation
7.7
relevance
0.3
threat
0.0
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.