PT-2023-30139 · Github · Github Enterprise Server
Imre Rad
·
Published
2023-12-21
·
Updated
2023-12-29
·
CVE-2023-46648
CVSS v3.1
8.3
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions 3.8 through 3.8.11
GitHub Enterprise Server versions 3.9 through 3.9.6
GitHub Enterprise Server versions 3.10 through 3.10.3
GitHub Enterprise Server versions 3.11 through 3.11.0
Description
An insufficient entropy issue was identified in GitHub Enterprise Server that allowed an attacker to brute force a user invitation to the Management Console. To exploit this, an attacker would need knowledge that a user invitation was pending. This issue was reported via the GitHub Bug Bounty program.
Recommendations
For GitHub Enterprise Server versions 3.8 through 3.8.11, update to version 3.8.12.
For GitHub Enterprise Server versions 3.9 through 3.9.6, update to version 3.9.7.
For GitHub Enterprise Server versions 3.10 through 3.10.3, update to version 3.10.4.
For GitHub Enterprise Server versions 3.11 through 3.11.0, update to version 3.11.1.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server