Page 8 of 88 results (0.007 seconds)

CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0

An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted permissions, such as users and organization-wide projects. Resources associated with repositories were not impacted, such as repository file content, repository-specific projects, issues, or pull requests. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.1 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, 3.6.4, 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program. • https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.16 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.11 https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.8 https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.4 https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1 • CWE-863: Incorrect Authorization •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to version 3.7 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, and 3.6.4. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía que un token con alcance de repositorio con acceso de lectura/escritura modificara archivos de flujo de trabajo de acción sin un alcance de flujo de trabajo. • https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.16 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.11 https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.8 https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.4 • CWE-863: Incorrect Authorization •

CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 0

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5 and 3.7.2. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de path traversal en GitHub Enterprise Server que permitía la ejecución remota de código al crear un sitio de GitHub Pages. • https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12 https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9 https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5 https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.2 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitió que un token de usuario a servidor con alcance escalara a privilegios completos de administrador/propietario. • https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17 https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12 https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9 https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5 • CWE-863: Incorrect Authorization •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program. Se identificó una limitación inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido en GitHub Enterprise Server que permitía la ejecución remota de código. • https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •