CVE-2023-51379

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
GitHub_PCNA
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
githubenterprise_server
3.7.0 ≤
𝑥
< 3.7.19
githubenterprise_server
3.8.0 ≤
𝑥
< 3.8.12
githubenterprise_server
3.9.0 ≤
𝑥
< 3.9.7
githubenterprise_server
3.10.0 ≤
𝑥
< 3.10.4
githubenterprise_server
3.11.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7