CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-51379 – Incorrect Authorization for Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51379
21 Dec 2023 — An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46648 – Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token
https://notcve.org/view.php?id=CVE-2023-46648
21 Dec 2023 — An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabil... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-331: Insufficient Entropy •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46649 – Race Condition allows Administrative Access on Organization Repositories
https://notcve.org/view.php?id=CVE-2023-46649
21 Dec 2023 — A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an organization needs to be converted from a user. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una condición de ejecución en GitHub Enterprise Server que podría permitir el acceso de administrador a un atacante. Para aprovechar esto, una organización debe ser convert... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6804 – Improper Privilege Management allows for arbitrary workflows to be run
https://notcve.org/view.php?id=CVE-2023-6804
21 Dec 2023 — Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. La gestión inadecuada de privilegios permitió que se confirmaran y ejecutaran workflows arbitrarios utilizando una PAT con un alcance inadecuado. Para aprovechar esto, ya debe haber exi... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-269: Improper Privilege Management •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6803 – Race Condition allows Unauthorized Outside Collaborator
https://notcve.org/view.php?id=CVE-2023-6803
21 Dec 2023 — A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Una condición de ejecución en GitHub Enterprise Server permite agregar un colaborador externo mientras se transfiere un repositorio. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server desde la 3.8 y se solucionó en las... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6802 – Sensitive Information in Log File in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-6802
21 Dec 2023 — An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an attacker to gain access to the management console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in versi... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6746 – Sensitive Information in Log File in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-6746
21 Dec 2023 — An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions o... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46645 – Path traversal in GitHub Enterprise Server leading to arbitrary file reading when building a GitHub Pages site
https://notcve.org/view.php?id=CVE-2023-46645
21 Dec 2023 — A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se ide... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6690
https://notcve.org/view.php?id=CVE-2023-6690
21 Dec 2023 — A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Una condición de ejecución en GitHub Enterprise Server permitió a un administrador existente mantener los permisos en los repositorios transferidos al realizar una mutaci... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-46647 – Improper Privilege Management in GitHub Enterprise Server management console leads to privilege escalation
https://notcve.org/view.php?id=CVE-2023-46647
21 Dec 2023 — Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.6, 3.10.3, and 3.11.0. La administración inadecuada de privilegios en todas las versiones de GitHub Enterprise Server permite a los usuarios ... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.3 • CWE-269: Improper Privilege Management •