CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6746 – Sensitive Information in Log File in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-6746
21 Dec 2023 — An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions o... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46645 – Path traversal in GitHub Enterprise Server leading to arbitrary file reading when building a GitHub Pages site
https://notcve.org/view.php?id=CVE-2023-46645
21 Dec 2023 — A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se ide... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6690
https://notcve.org/view.php?id=CVE-2023-6690
21 Dec 2023 — A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Una condición de ejecución en GitHub Enterprise Server permitió a un administrador existente mantener los permisos en los repositorios transferidos al realizar una mutaci... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-46647 – Improper Privilege Management in GitHub Enterprise Server management console leads to privilege escalation
https://notcve.org/view.php?id=CVE-2023-46647
21 Dec 2023 — Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.6, 3.10.3, and 3.11.0. La administración inadecuada de privilegios en todas las versiones de GitHub Enterprise Server permite a los usuarios ... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.3 • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46646
https://notcve.org/view.php?id=CVE-2023-46646
21 Dec 2023 — Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fixed in version 3.17.19, 3.8.12, 3.9.7 3.10.4, and 3.11.0. El control de acceso inadecuado en todas las versiones de GitHub Enterprise Server permite a usuarios n... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-23766 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23766
22 Sep 2023 — An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de comparación incorrecta en GitHub En... • https://docs.github.com/enterprise-server@3.10/admin/release-notes#3.10.1 • CWE-697: Incorrect Comparison •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-23763 – Information disclosure in GitHub Enterprise Server leading to private repository leakage
https://notcve.org/view.php?id=CVE-2023-23763
01 Sep 2023 — An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identificado una vulnerabilidad de autorización/divulgación de información ... • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.18-security-fixes • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-23765 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23765
30 Aug 2023 — An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program https://bounty.github.com/ . Se identificó una vulnerabilidad de comparación incorrecta en GitHub Enterprise Server que permitía el contrabando de commits mostrando un diff incorrecto en u... • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.16 • CWE-697: Incorrect Comparison •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-23764 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23764
27 Jul 2023 — An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub Enterprise Server versions 3.7.0 and above and was fixed in versions 3.7.9, 3.8.2, and 3.9.1. This vulnerability was reported via the GitHub Bug Bounty program. • https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.9 • CWE-697: Incorrect Comparison •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-23762 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23762
07 Apr 2023 — An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff. To do so, an attacker would need write access to the repository and be able to correctly guess the target branch before it’s created by the code maintainer. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.9 and was fixed in versions 3.4.18, 3.5.15, 3.6.11, 3.7.8, and 3.8.1. This vulnerability was reported via the GitHub Bug Bounty pro... • https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.18 • CWE-697: Incorrect Comparison •