ByteOS Network

Vulnerability Details :

CVE-2025-8447

Assigner Org ID-82327ea3-741d-41e4-88f8-2cf9e791e760

Published At-26 Aug, 2025 | 01:42

Updated At-26 Aug, 2025 | 18:34

Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed read-only access

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program.

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitHub_P

Assigner Org ID:82327ea3-741d-41e4-88f8-2cf9e791e760

Published At:26 Aug, 2025 | 01:42

Updated At:26 Aug, 2025 | 18:34

▼CVE Numbering Authority (CNA)

Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed read-only access

Affected Products

Vendor

GitHub, Inc.

Product

Enterprise Server

Default Status

affected

Versions

Affected

From 3.14 through 3.14.16 (semver)
- -> unaffectedfrom3.14.17
From 3.15 through 3.15.11 (semver)
- -> unaffectedfrom3.15.12
From 3.16 through 3.16.7 (semver)
- -> unaffectedfrom3.16.8
From 3.17 through 3.17.4 (semver)
- -> unaffectedfrom3.17.5

Problem Types

Type	CWE ID	Description
CWE	CWE-639	CWE-639 Authorization Bypass Through User-Controlled Key

Type: CWE

CWE ID: CWE-639

Description: CWE-639 Authorization Bypass Through User-Controlled Key

Metrics

Version	Base score	Base severity	Vector
4.0	7.0	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Version: 4.0

Base score: 7.0

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Impacts

CAPEC ID	Description
CAPEC-180	CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels

CAPEC ID: CAPEC-180

Description: CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels

Credits

finder

furbreeze

References

Hyperlink	Resource
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17	N/A
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12	N/A
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8	N/A
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5	N/A

Hyperlink: https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.17

Resource: N/A

Hyperlink: https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.12

Resource: N/A

Hyperlink: https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.8

Resource: N/A

Hyperlink: https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.5

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:product-cna@github.com

Published At:26 Aug, 2025 | 02:15

Updated At:26 Aug, 2025 | 13:41

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	7.0	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 4.0

Base score: 7.0

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X