CVE-2023-51380 – Incorrect Authorization allows Read Access to Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51380
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía leer los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server desde la 3.7 y se solucionó en las versiones 3.17.19, 3.8.12, 3.9.7, 3.10.4 y 3.11.1. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-863: Incorrect Authorization •
CVE-2023-51379 – Incorrect Authorization for Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51379
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía actualizar los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad no permitía el acceso no autorizado a ningún contenido del repositorio, ya que también requería permisos de contenido: problemas de lectura y escritura. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-863: Incorrect Authorization •
CVE-2023-6746 – Sensitive Information in Log File in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-6746
An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de inserción de información confidencial en el archivo de registro en los archivos de registro de un servicio back-end de GitHub Enterprise Server que podría permitir un ataque de "adversary in the middle" cuando se combina con otras técnicas de phishing. Para explotar esto, un atacante necesitaría acceso a los archivos de registro del dispositivo GitHub Enterprise Server, un archivo de respaldo creado con GitHub Enterprise Server Backup Utilities o un servicio que recibiera registros transmitidos. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-46646
https://notcve.org/view.php?id=CVE-2023-46646
Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fixed in version 3.17.19, 3.8.12, 3.9.7 3.10.4, and 3.11.0. El control de acceso inadecuado en todas las versiones de GitHub Enterprise Server permite a usuarios no autorizados ver nombres de repositorios privados a través del endpoint API "Get a check run". Esta vulnerabilidad no permitía el acceso no autorizado a ningún contenido del repositorio además del nombre. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2020-9523
https://notcve.org/view.php?id=CVE-2020-9523
Insufficiently protected credentials vulnerability on Micro Focus enterprise developer and enterprise server, affecting all version prior to 4.0 Patch Update 16, and version 5.0 Patch Update 6. The vulnerability could allow an attacker to transmit hashed credentials for the user account running the Micro Focus Directory Server (MFDS) to an arbitrary site, compromising that account's security. Una vulnerabilidad de credenciales insuficientemente protegidas en el desarrollador empresarial y el servidor empresarial de Micro Focus, afectando a todas las versiones anteriores a 4.0 Patch Update 16, y versión 5.0 Patch Update 6. La vulnerabilidad podría permitir a un atacante transmitir credenciales del hash para la cuenta de usuario que ejecuta el Micro Focus Directory Server (MFDS) en un sitio arbitrario, comprometiendo la seguridad de esa cuenta. • https://softwaresupport.softwaregrp.com/doc/KM03634936 • CWE-522: Insufficiently Protected Credentials •