CVE-2023-46646
https://notcve.org/view.php?id=CVE-2023-46646
Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected GitHub Enterprise Server version 3.7.0 and above and was fixed in version 3.17.19, 3.8.12, 3.9.7 3.10.4, and 3.11.0. El control de acceso inadecuado en todas las versiones de GitHub Enterprise Server permite a usuarios no autorizados ver nombres de repositorios privados a través del endpoint API "Get a check run". Esta vulnerabilidad no permitía el acceso no autorizado a ningún contenido del repositorio además del nombre. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2023-23766 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23766
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in versions 3.6.17, 3.7.15, 3.8.8, 3.9.3, and 3.10.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de comparación incorrecta en GitHub Enterprise Server que permitía el contrabando de confirmaciones al mostrar una diferencia incorrecta en una Solicitud de Extracción reabierta. • https://docs.github.com/enterprise-server@3.10/admin/release-notes#3.10.1 https://docs.github.com/enterprise-server@3.6/admin/release-notes#3.6.17 https://docs.github.com/enterprise-server@3.7/admin/release-notes#3.7.15 https://docs.github.com/enterprise-server@3.8/admin/release-notes#3.8.8 https://docs.github.com/enterprise-server@3.9/admin/release-notes#3.9.3 • CWE-697: Incorrect Comparison •
CVE-2023-23763 – Information disclosure in GitHub Enterprise Server leading to private repository leakage
https://notcve.org/view.php?id=CVE-2023-23763
An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program. Se ha identificado una vulnerabilidad de autorización/divulgación de información sensible en GitHub Enterprise Server que permitía a un fork conservar el acceso de lectura a un repositorio upstream después de cambiar su visibilidad a privada. Esta vulnerabilidad afectaba a todas las versiones de GitHub Enterprise Server anteriores a la 3.10.0 y se solucionó en las versiones 3.9.4, 3.8.9, 3.7.16 y 3.6.18. • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.18-security-fixes https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.16-security-fixes https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.9-security-fixes https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.4-security-fixes • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVE-2023-23765 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23765
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the GitHub Bug Bounty Program https://bounty.github.com/ . Se identificó una vulnerabilidad de comparación incorrecta en GitHub Enterprise Server que permitía el contrabando de commits mostrando un diff incorrecto en un Pull Request reabierto. Para explotar esta vulnerabilidad, un atacante necesitaría acceso de escritura al repositorio. • https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.16 https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.13 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.9 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.1 • CWE-697: Incorrect Comparison •
CVE-2023-23764 – Incorrect comparison vulnerability in GitHub Enterprise Server leading to commit smuggling
https://notcve.org/view.php?id=CVE-2023-23764
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub Enterprise Server versions 3.7.0 and above and was fixed in versions 3.7.9, 3.8.2, and 3.9.1. This vulnerability was reported via the GitHub Bug Bounty program. • https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.9 https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.2 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.1 • CWE-697: Incorrect Comparison •