PT-2023-32779 · Github · Github Enterprise Server
Published
2023-12-21
·
Updated
2023-12-29
·
CVE-2023-6804
CVSS v3.1
6.5
Medium
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions 3.8 through 3.8.11
GitHub Enterprise Server versions 3.9 through 3.9.6
GitHub Enterprise Server versions 3.10 through 3.10.3
GitHub Enterprise Server versions 3.11 through 3.11.0
Description
Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped Personal Access Token (PAT). To exploit this, a workflow must have already existed in the target repository.
Recommendations
For GitHub Enterprise Server versions 3.8 through 3.8.11, update to version 3.8.12.
For GitHub Enterprise Server versions 3.9 through 3.9.6, update to version 3.9.7.
For GitHub Enterprise Server versions 3.10 through 3.10.3, update to version 3.10.4.
For GitHub Enterprise Server versions 3.11 through 3.11.0, update to version 3.11.1.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server