Lucene search

[email protected]NVD:CVE-2023-46648

HistoryDec 21, 2023 - 9:15 p.m.

CVE-2023-46648

2023-12-2121:15:09

CWE-331

[email protected]

web.nvd.nist.gov

github

enterprise

server

vulnerability

brute force

user invitation

management console

exploit

fixed

bug bounty program

cve-2023-46648

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

26.9%

JSON

An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.

Affected configurations

NVD

Node

githubenterprise_serverRange3.8.0–3.8.12

githubenterprise_serverRange3.9.0–3.9.7

githubenterprise_serverRange3.10.0–3.10.4

githubenterprise_serverMatch3.11.0

References

docs.github.com/en/[email protected]/admin/release-notes#3.10.4

docs.github.com/en/[email protected]/admin/release-notes#3.11.1

docs.github.com/en/[email protected]/admin/release-notes#3.8.12

docs.github.com/en/[email protected]/admin/release-notes#3.9.7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

26.9%

JSON

Related for NVD:CVE-2023-46648

cve1 cvelist1 prion1 hackerone1