CVE-2023-51379

MEDIUM

GitHub Enterprise Server <3.17.19-3.11.1 - Auth Bypass

Title source: llm

Description

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

References (5)

Core 5

Core References

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.10.4

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.11.1

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.7.19

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.8.12

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.9.7

Scores

CVSS v3 4.9

EPSS 0.0061

EPSS Percentile 44.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-863

Status published

Products (2)

github/enterprise_server 3.11.0

github/enterprise_server 3.7.0 - 3.7.19

Published Dec 21, 2023

Tracked Since Feb 18, 2026