Incorrect authorization vulnerability was identified in GitHub Enterprise Server that...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Description

An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3

Basic Information

ID CVE-2025-6981

Source GitHub_P

Published Jul 15, 2025 at 20:44

Modified Jul 16, 2025 at 19:04

Affected Product

Vendor GitHub

Product Enterprise Server

Version 3.14.0

Affected Versions GitHub Enterprise Server 3.14.0
GitHub Enterprise Server 3.15.0
GitHub Enterprise Server 3.16.0
GitHub Enterprise Server 3.17.0

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15,\u00a03.15.10,\u00a03.16.6 and\u00a03.17.3",
    "published": "2025-07-15T20:44:30.022Z",
    "modified": "2025-07-16T19:04:18.464Z",
    "type": "cve",
    "title": "Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access",
    "source": "GitHub_P",
    "references": "https://docs.github.com/en/[email protected]/admin/release-notes#3.14.15\nhttps://docs.github.com/en/[email protected]/admin/release-notes#3.15.10\nhttps://docs.github.com/en/[email protected]/admin/release-notes#3.16.6\nhttps://docs.github.com/en/[email protected]/admin/release-notes#3.17.3",
    "id": "CVE-2025-6981",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "GitHub Enterprise Server 3.14.0\nGitHub Enterprise Server 3.15.0\nGitHub Enterprise Server 3.16.0\nGitHub Enterprise Server 3.17.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Enterprise Server",
    "version": "3.14.0",
    "vendor": "GitHub",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized read-only access_CVE-2025-6981