![]() ![]() ![]() MEDIUM: An attacker could maintain admin access via a race condition when an organization was converted from a user. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-46648. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. MEDIUM: Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. GitHub has requested CVE ID CVE-2023-6746 for this vulnerability. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. MEDIUM: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. ![]() This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-46645. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. GitHub has requested CVE ID CVE-2023-46647 for this vulnerability, which was reported via the GitHub Bug Bounty program. HIGH: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-6847. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. For more information, see " Enabling private mode." ![]() Private mode is the mechanism that enforces authentication for publicly-scoped resources. HIGH: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of private mode by using a specially crafted API request. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |