Enterprise Server
by GitHub
CVEs (119)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-46647 | 0.00 | — | 0.01 | Dec 21, 2023 | Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability… | |||
| CVE-2023-46646 | 0.00 | — | 0.01 | Dec 21, 2023 | Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This… | |||
| CVE-2023-23766 | 0.00 | — | 0.01 | Sep 22, 2023 | An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions… | |||
| CVE-2023-23763 | 0.00 | — | 0.01 | Sep 1, 2023 | An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub… | |||
| CVE-2023-23765 | 0.00 | — | 0.00 | Aug 30, 2023 | An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability… | |||
| CVE-2023-23764 | 0.00 | — | 0.00 | Jul 27, 2023 | An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub… | |||
| CVE-2023-23762 | 0.00 | — | 0.01 | Apr 7, 2023 | An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff. To do so, an attacker would need write access to the repository and be able to correctly guess the target branch before it’s created… | |||
| CVE-2023-23761 | 0.00 | — | 0.00 | Apr 7, 2023 | An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to modify other users' secret gists by authenticating through an SSH certificate authority. To do so, a user had to know the secret gist's URL. This… | |||
| CVE-2023-23760 | 0.00 | — | 0.01 | Mar 8, 2023 | A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise… | |||
| CVE-2022-46257 | 0.00 | — | 0.01 | Mar 7, 2023 | An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in… | |||
| CVE-2023-22381 | 0.00 | — | 0.01 | Mar 2, 2023 | A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need… | |||
| CVE-2023-22380 | 0.00 | — | 0.01 | Feb 16, 2023 | A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise… | |||
| CVE-2022-23739 | 0.00 | — | 0.01 | Jan 17, 2023 | An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most… | |||
| CVE-2022-46258 | 0.00 | — | 0.01 | Jan 9, 2023 | An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This… | |||
| CVE-2022-46255 | 0.00 | — | 0.01 | Dec 14, 2022 | An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an… | |||
| CVE-2022-46256 | 0.00 | — | 0.02 | Dec 14, 2022 | A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This… | |||
| CVE-2022-23741 | 0.00 | — | 0.01 | Dec 14, 2022 | An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability… | |||
| CVE-2022-23737 | 0.00 | — | 0.01 | Dec 1, 2022 | An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write… | |||
| CVE-2022-23740 | 0.00 | — | 0.01 | Nov 23, 2022 | CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub… | |||
| CVE-2022-23738 | 0.00 | — | 0.01 | Nov 1, 2022 | An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server… |
- CVE-2023-46647Dec 21, 2023risk 0.00cvss —epss 0.01
Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability…
- CVE-2023-46646Dec 21, 2023risk 0.00cvss —epss 0.01
Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content besides the name. This…
- CVE-2023-23766Sep 22, 2023risk 0.00cvss —epss 0.01
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions…
- CVE-2023-23763Sep 1, 2023risk 0.00cvss —epss 0.01
An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub…
- CVE-2023-23765Aug 30, 2023risk 0.00cvss —epss 0.00
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability…
- CVE-2023-23764Jul 27, 2023risk 0.00cvss —epss 0.00
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub…
- CVE-2023-23762Apr 7, 2023risk 0.00cvss —epss 0.01
An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff. To do so, an attacker would need write access to the repository and be able to correctly guess the target branch before it’s created…
- CVE-2023-23761Apr 7, 2023risk 0.00cvss —epss 0.00
An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to modify other users' secret gists by authenticating through an SSH certificate authority. To do so, a user had to know the secret gist's URL. This…
- CVE-2023-23760Mar 8, 2023risk 0.00cvss —epss 0.01
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise…
- CVE-2022-46257Mar 7, 2023risk 0.00cvss —epss 0.01
An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in…
- CVE-2023-22381Mar 2, 2023risk 0.00cvss —epss 0.01
A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need…
- CVE-2023-22380Feb 16, 2023risk 0.00cvss —epss 0.01
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise…
- CVE-2022-23739Jan 17, 2023risk 0.00cvss —epss 0.01
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most…
- CVE-2022-46258Jan 9, 2023risk 0.00cvss —epss 0.01
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This…
- CVE-2022-46255Dec 14, 2022risk 0.00cvss —epss 0.01
An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an…
- CVE-2022-46256Dec 14, 2022risk 0.00cvss —epss 0.02
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This…
- CVE-2022-23741Dec 14, 2022risk 0.00cvss —epss 0.01
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability…
- CVE-2022-23737Dec 1, 2022risk 0.00cvss —epss 0.01
An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write…
- CVE-2022-23740Nov 23, 2022risk 0.00cvss —epss 0.01
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub…
- CVE-2022-23738Nov 1, 2022risk 0.00cvss —epss 0.01
An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server…
Page 5 of 6