// For flags

CVE-2023-6746

Sensitive Information in Log File in GitHub Enterprise Server

Severity Score

5.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

Se identificó una vulnerabilidad de inserción de información confidencial en el archivo de registro en los archivos de registro de un servicio back-end de GitHub Enterprise Server que podría permitir un ataque de "adversary in the middle" cuando se combina con otras técnicas de phishing. Para explotar esto, un atacante necesitaría acceso a los archivos de registro del dispositivo GitHub Enterprise Server, un archivo de respaldo creado con GitHub Enterprise Server Backup Utilities o un servicio que recibiera registros transmitidos. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server desde la 3.7 y se solucionó en las versiones 3.17.19, 3.8.12, 3.9.7, 3.10.4 y 3.11.1.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-12-12 CVE Reserved
  • 2023-12-21 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-11-20 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-532: Insertion of Sensitive Information into Log File
CAPEC
  • CAPEC-21: Exploitation of Trusted Identifiers
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Github
Search vendor "Github"
 Enterprise Server
Search vendor "Github" for product "Enterprise Server"
 >= 3.7.0 < 3.17.19
Search vendor "Github" for product "Enterprise Server" and version " >= 3.7.0 < 3.17.19"
-
Affected
Github
Search vendor "Github"
 Enterprise Server
Search vendor "Github" for product "Enterprise Server"
 >= 3.8.0 < 3.8.12
Search vendor "Github" for product "Enterprise Server" and version " >= 3.8.0 < 3.8.12"
-
Affected
Github
Search vendor "Github"
 Enterprise Server
Search vendor "Github" for product "Enterprise Server"
 >= 3.9.0 < 3.9.7
Search vendor "Github" for product "Enterprise Server" and version " >= 3.9.0 < 3.9.7"
-
Affected
Github
Search vendor "Github"
 Enterprise Server
Search vendor "Github" for product "Enterprise Server"
 >= 3.10.0 < 3.10.4
Search vendor "Github" for product "Enterprise Server" and version " >= 3.10.0 < 3.10.4"
-
Affected
Github
Search vendor "Github"
 Enterprise Server
Search vendor "Github" for product "Enterprise Server"
 3.11.0
Search vendor "Github" for product "Enterprise Server" and version "3.11.0"
-
Affected