Page 2 of 33 results (0.008 seconds)

CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the actions-console docker container while setting a service URL. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de inyección de comandos en GitHub Enterprise Server que permitió a un atacante con una función de editor en la Consola de administración obtener acceso SSH de administrador al dispositivo a través del contenedor acoplable de la consola de acciones mientras configuraba una URL de servicio. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via the `syslog-ng` configuration file. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de inyección de comandos en GitHub Enterprise Server que permitió a un atacante con función de editor en Management Console obtener acceso SSH de administrador al dispositivo a través del archivo de configuración `syslog-ng`. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.7 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.5 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.15 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.10 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0

An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.11.3, 3.10.5, 3.9.8, and 3.8.13 This vulnerability was reported via the GitHub Bug Bounty program. Un atacante con acceso a una cuenta de usuario de Management Console con función de editor podría escalar privilegios a través de una vulnerabilidad de inyección de comandos en Management Console. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server y se solucionó en las versiones 3.11.3, 3.10.5, 3.9.8 y 3.8.13. Esta vulnerabilidad se informó a través del programa GitHub Bug Bounty. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.5 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.3 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.13 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.8 • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de comparación incorrecta en GitHub Enterprise Server que permitía el contrabando de confirmaciones al mostrar una diferencia incorrecta en una Solicitud de Extracción reabierta. • https://docs.github.com/enterprise-server@3.10/admin/release-notes#3.10.1 https://docs.github.com/enterprise-server@3.6/admin/release-notes#3.6.17 https://docs.github.com/enterprise-server@3.7/admin/release-notes#3.7.15 https://docs.github.com/enterprise-server@3.8/admin/release-notes#3.8.8 https://docs.github.com/enterprise-server@3.9/admin/release-notes#3.9.3 • CWE-697: Incorrect Comparison •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identificado una vulnerabilidad de autorización/divulgación de información sensible en GitHub Enterprise Server que permitía a un fork conservar el acceso de lectura a un repositorio upstream después de cambiar su visibilidad a privada. Esta vulnerabilidad afectaba a todas las versiones de GitHub Enterprise Server anteriores a la 3.10.0 y se solucionó en las versiones 3.9.4, 3.8.9, 3.7.16 y 3.6.18. • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.18-security-fixes https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.16-security-fixes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.9-security-fixes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.4-security-fixes • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •