CVE-2022-46257

MEDIUM

GitHub Enterprise Server - Info Disclosure

Title source: llm

Description

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

References (4)

Core 4

Core References

Various Sources

https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17

Various Sources

https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12

Various Sources

https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9

Various Sources

https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5

Scores

CVSS v3 4.3

EPSS 0.0057

EPSS Percentile 42.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-668

Status published

Products (1)

github/enterprise_server 3.3.0 - 3.3.17

Published Mar 07, 2023

Tracked Since Feb 18, 2026