Lucene search
K
GithubEnterprise Server

30 matches found

CVE
CVE
added 2024/02/13 6:47 p.m.89 views

CVE-2024-1082

Summary: CVE-2024-1082 describes a path traversal in GitHub Enterprise Server that allows an attacker with page-site build permissions to read files via symbolic links in a crafted artifact tarball uploaded to GitHub Pages. Affected product/versions: GitHub Enterprise Server prior to 3.12. Fixed ...

6.5CVSS6.3AI score0.0077EPSS
CVE
CVE
added 2024/07/16 9:26 p.m.71 views

CVE-2024-5815

CVE-2024-5815 is a Cross-Site Request Forgery in GitHub Enterprise Server that permits write operations on a victim-owned repository when an attacker who is a trusted GHE user induces the victim to visit a tag in the attacker’s fork. The issue affects all GitHub Enterprise Server versions prior t...

6.8CVSS6.5AI score0.0025EPSS
CVE
CVE
added 2021/07/14 8:55 p.m.69 views

CVE-2021-22867

CVE-2021-22867 / CVE-2021-22868 (GitHub Enterprise Server) : Path traversal through GitHub Pages configuration options that are user-controlled, allowing reading files on the server during page builds. Affected versions: all before 3.1.3 (fixed in 3.1.3, 3.0.11, 2.22.17). Red Hat notes indicate t...

6.5CVSS5.1AI score0.01171EPSS
CVE
CVE
added 2023/01/09 12:0 a.m.67 views

CVE-2022-46258

CVE-2022-46258 describes an incorrect authorization in GitHub Enterprise Server where a repository-scoped token with read/write access could modify Action Workflow files without a Workflow scope. Affected: all versions before 3.7. Fixes were released in 3.3.16, 3.4.11, 3.5.8, and 3.6.4. Practical...

6.5CVSS6.2AI score0.0056EPSS
CVE
CVE
added 2023/02/16 12:0 a.m.66 views

CVE-2023-22380

CVE-2023-22380 describes a path traversal vulnerability in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. The issue affects all versions of GitHub Enterprise Server since 3.7 and is due to a flaw in the file-path handling during Page builds, enabli...

6.5CVSS6.3AI score0.00682EPSS
CVE
CVE
added 2022/12/01 12:0 a.m.65 views

CVE-2022-23737

Summary: CVE-2022-23737 is an improper privilege management vulnerability in GitHub Enterprise Server that allows users with insufficient privileges to create or delete pages via the API. An attacker would need to be added to an organization’s repository with write permissions to exploit it. The ...

6.5CVSS6.4AI score0.00696EPSS
CVE
CVE
added 2024/07/16 9:27 p.m.64 views

CVE-2024-6336

CVE-2024-6336 describes a security misconfiguration in GitHub Enterprise Server where sensitive information could be disclosed to unauthorized users by exploiting the organization ruleset feature. An organization member could change the visibility of a dependent repository from private to public,...

6.9CVSS5.1AI score0.0042EPSS
CVE
CVE
added 2024/02/13 6:44 p.m.63 views

CVE-2024-1084

GitHub Enterprise Server remote UI vulnerability CVE-2024-1084 is a Cross-site Scripting issue in the tag name pattern field of the tag protections UI. The flaw allows a malicious website, leveraging user interaction and social engineering, to change a user account via CSP bypass with created CSR...

6.5CVSS6.3AI score0.00469EPSS
CVE
CVE
added 2021/04/02 5:25 p.m.62 views

CVE-2021-22865

Summary. CVE-2021-22865 is an improper access control vulnerability in GitHub Enterprise Server that allows access tokens generated from a GitHub App’s web authentication flow to read private repository metadata via the REST API without granted permissions. Prerequisites: an attacker must create ...

6.5CVSS6.5AI score0.01316EPSS
CVE
CVE
added 2024/07/16 9:26 p.m.62 views

CVE-2024-5566

CVE-2024-5566 affects GitHub Enterprise Server prior to 3.14, where an improper privilege management issue allowed migration of private repositories without sufficient Personal Access Token scopes. The root cause is insufficient access control during repository migration, enabling unintended cont...

6.5CVSS5.8AI score0.00476EPSS
CVE
CVE
added 2024/11/07 9:15 p.m.61 views

CVE-2024-10824

CVE-2024-10824 affects GitHub Enterprise Server versions after 3.13.0 but before 3.14.0. The root cause is an authorization bypass that allowed organization members with a personal access token to access secret scanning alert data intended only for business owners, provided secret scanning was en...

6.5CVSS6.3AI score0.00339EPSS
CVE
CVE
added 2024/07/16 9:27 p.m.61 views

CVE-2024-5816

CVE-2024-5816 – GitHub Enterprise Server : An Incorrect Authorization flaw allows a suspended GitHub App to retain access to repositories via a scoped user access token. Impact is limited to public repositories; private repos are not affected. Affected: all GitHub Enterprise Server versions prior...

6.9CVSS5.1AI score0.00507EPSS
CVE
CVE
added 2024/08/20 7:19 p.m.60 views

CVE-2024-6337

CVE-2024-6337 affects GitHub Enterprise Server. A flawed authorization allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repo. The issue is exploitable via a user access token; installation access tokens were not impacted...

6.5CVSS6.2AI score0.00705EPSS
CVE
CVE
added 2024/07/16 9:27 p.m.59 views

CVE-2024-6395

CVE-2024-6395 (GitHub Enterprise Server) exposes a sensitive-information issue that allows an attacker to enumerate the names of private repositories using deploy keys, but does not disclose repository contents. Affected: GitHub Enterprise Server versions prior to 3.14. The root cause, per multip...

6.3CVSS5.1AI score0.00492EPSS
CVE
CVE
added 2024/09/23 8:12 p.m.58 views

CVE-2024-8263

CVE-2024-8263 describes an improper privilege management vulnerability in GitHub Enterprise Server that allows arbitrary workflows to be committed via an improperly scoped Personal Access Token (PAT) when nested tags are used. Affected product: GitHub Enterprise Server (all versions prior to the ...

6.2CVSS7.1AI score0.00449EPSS
CVE
CVE
added 2023/09/22 2:18 p.m.57 views

CVE-2023-23766

CVE-2023-23766 describes an incorrect comparison vulnerability in GitHub Enterprise Server that enabled commit smuggling by displaying an incorrect diff when re-opening a Pull Request. Exploitation would require write access to the repository. All versions prior to the fixed releases are affected...

6.5CVSS5.4AI score0.0059EPSS
CVE
CVE
added 2021/11/10 1:55 a.m.55 views

CVE-2021-22870

The CVE-2021-22870 issue affects GitHub Enterprise Server pages builds and is a path-traversal vulnerability that could allow an attacker with permission to create and build a GitHub Pages site to read system files. The vulnerability exists in all versions prior to 3.3 and was fixed in 3.0.19, 3....

6.5CVSS6.3AI score0.01098EPSS
CVE
CVE
added 2023/12/21 8:45 p.m.54 views

CVE-2023-46645

CVE-2023-46645 describes a path traversal vulnerability in GitHub Enterprise Server that enables arbitrary file reading when building a GitHub Pages site. The attacker must have permission to create and build a GitHub Pages site on the affected server. Affected versions include all releases since...

6.8CVSS5.4AI score0.00791EPSS
CVE
CVE
added 2024/07/16 9:27 p.m.54 views

CVE-2024-5817

GitHub Enterprise Server (GES) security advisory CVE-2024-5817 describes an Incorrect Authorization flaw that allowed read access to issue content via GitHub Projects. Affected: all GES versions prior to 3.14. The vulnerability required attacker access to the corresponding internal project board ...

6.5CVSS6.3AI score0.00514EPSS
CVE
CVE
added 2024/09/23 8:9 p.m.54 views

CVE-2024-8770

CVE-2024-8770 describes a Cross-Site Scripting (XSS) vulnerability in the repository transfer feature of GitHub Enterprise Server. The issue affected all versions prior to the fixed releases and allowed attackers to steal sensitive user information via social engineering. Fixes were released in G...

6.1CVSS5.7AI score0.0035EPSS
CVE
CVE
added 2023/04/07 6:41 p.m.52 views

CVE-2023-23762

CVE-2023-23762 describes an incorrect comparison vulnerability in GitHub Enterprise Server that enables commit smuggling by displaying an incorrect diff. An attacker would need write access to a repository and must correctly guess the target branch before it’s created by the maintainer. The issue...

6.5CVSS5.5AI score0.0064EPSS
CVE
CVE
added 2023/08/30 10:33 p.m.51 views

CVE-2023-23765

CVE-2023-23765 concerns GitHub Enterprise Server. The issue is an incorrect comparison vulnerability that allows commit smuggling by displaying an incorrect diff in a re-opened Pull Request. The exploitation condition requires the attacker to have write access to the affected repository. The avai...

6.5CVSS5.3AI score0.00485EPSS
CVE
CVE
added 2023/12/21 8:45 p.m.39 views

CVE-2023-6804

CVE-2023-6804 (GitHub Enterprise Server) : Improper privilege management allows arbitrary workflows to be committed and run using an improperly scoped Personal Access Token, provided a workflow already exists in the target repo. Affected: GitHub Enterprise Server versions 3.8–3.11.x (before fixes...

6.5CVSS5.9AI score0.00204EPSS
CVE
CVE
added 2025/07/01 6:56 p.m.35 views

CVE-2025-6600

This CVE affects GitHub Enterprise Server v3.17. The issue is an information-disclosure where a user-to-server token with no scopes, used via the Search API, could disclose private repository names within an organization. Exploitation required an organization administrator to install a malicious ...

6.3CVSS6.4AI score0.00275EPSS
CVE
CVE
added 2024/02/29 6:23 p.m.33 views

CVE-2024-1908

CVE-2024-1908 concerns GitHub Enterprise Server. The issue is an improper privilege management flaw that allowed an attacker with a non-default GitHub Connect setting and an account on the server to use the Enterprise Actions GitHub Connect download token to fetch private repository data. Affecte...

6.5CVSS6.3AI score0.00606EPSS
CVE
CVE
added 2026/06/30 9:39 p.m.31 views

CVE-2026-10585

CVE-2026-10585 describes a stored XSS in GitHub Enterprise Server where an authenticated attacker could execute JavaScript in another user’s browser by injecting a crafted payload into a Discussion title in the Q&A category. The vulnerability stems from the AnsweredQuestionStructuredDataComponent...

6.3CVSS5.9AI score0.00184EPSS
CVE
CVE
added 2026/02/18 8:42 p.m.25 views

CVE-2026-1355

GitHub Enterprise Server contains a Missing Authorization vulnerability in the repository migration upload endpoint. An authenticated attacker could supply a migration identifier to overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repo...

6.5CVSS5.7AI score0.0039EPSS
CVE
CVE
added 2026/05/07 9:18 p.m.24 views

CVE-2026-8106

CVE-2026-8106 describes a reflected HTML injection in the GitHub Enterprise Server Management Console login page. The vulnerability lies in the redirect_to query parameter on the /setup/unlock endpoint, which is reflected into an HTML attribute without proper sanitization. An attacker could entic...

6.1CVSS5.8AI score0.00164EPSS
Web
CVE
CVE
added 2026/06/30 8:23 p.m.24 views

CVE-2026-9132

CVE-2026-9132 describes a missing authorization flaw in GitHub Enterprise Server where an authenticated user could read source code from private repositories via the Copilot pull request description diff summary endpoint. The vulnerability allowed a user with read access to at least one repositor...

6.5CVSS5.9AI score0.00257EPSS
CVE
CVE
added 2026/05/07 9:14 p.m.20 views

CVE-2026-6736

CVE-2026-6736 describes an authentication bypass in GitHub Enterprise Server (GHES) : when external authentication is enabled, the signup endpoint could create a local user account and establish a session without validating the external identity provider. This unauthenticated access required netw...

6.5CVSS5.8AI score0.00266EPSS