CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6847 – Improper Authentication in GitHub Enterprise Server leading to Authentication Bypass for Public Repository Data
https://notcve.org/view.php?id=CVE-2023-6847
An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de autenticación incorrecta en GitHub Enterprise Server que permitía omitir el Private Mode mediante el uso de una solicitud API especialmente manipulada. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-51380 – Incorrect Authorization allows Read Access to Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51380
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía leer los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server desde la 3.7 y se solucionó en las versiones 3.17.19, 3.8.12, 3.9.7, 3.10.4 y 3.11.1. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-863: Incorrect Authorization •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 0CVE-2023-51379 – Incorrect Authorization for Issue Comments in GitHub Enterprise Server
https://notcve.org/view.php?id=CVE-2023-51379
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía actualizar los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad no permitía el acceso no autorizado a ningún contenido del repositorio, ya que también requería permisos de contenido: problemas de lectura y escritura. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-46648 – Insufficient Entropy in GitHub Enterprise Server Management Console Invitation Token
https://notcve.org/view.php?id=CVE-2023-46648
An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de entropía insuficiente en GitHub Enterprise Server (GHES) que permitió a un atacante forzar por fuerza bruta una invitación de usuario a la GHES Management Console. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-331: Insufficient Entropy •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-46649 – Race Condition allows Administrative Access on Organization Repositories
https://notcve.org/view.php?id=CVE-2023-46649
A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an organization needs to be converted from a user. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Se identificó una condición de ejecución en GitHub Enterprise Server que podría permitir el acceso de administrador a un atacante. Para aprovechar esto, una organización debe ser convertida desde un usuario. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •