Analysis Summary

CVE-2023-46646 CVSS:5.3

GitHub Enterprise Server could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially crafted request using the "Get a check run" API endpoint, an attacker could exploit this vulnerability to obtain private repository names information, and use this information to launch further attacks against the affected system.

CVE-2023-46649 CVSS:6.3

GitHub Enterprise Server could allow a local authenticated attacker to bypass security restrictions, caused by race condition flaw when an organization was converted from a user. By sending a specially crafted request, an attacker could exploit this vulnerability to maintain admin access.

CVE-2023-51379 CVSS:4.9

GitHub Enterprise Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially crafted request using an improperly scoped token, an attacker could exploit this vulnerability to update issue comments.

Impact

• Information Disclosure
• Security Bypass

Indicators of Compromise

CVE

• CVE-2023-46646
• CVE-2023-46649
• CVE-2023-51379

Affected Vendors

Remediation

Upgrade to the latest version of GitHub Enterprise Server, available from the GitHub Website.

GitHub Website