CVE-2023-6690

LOW

GitHub Enterprise Server 3.8.0-3.8.11 - Authenticated Time-of-check Time-of-use Race Condition via GraphQL Mutation

Title source: llm

Description

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

References (4)

Core 4

Core References

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.10.4

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.11.1

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.8.12

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.9.7

Scores

CVSS v3 3.9

EPSS 0.0033

EPSS Percentile 24.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Details

CWE

CWE-367

Status published

Products (2)

github/enterprise_server 3.11.0

github/enterprise_server 3.8.0 - 3.8.12

Published Dec 21, 2023

Tracked Since Feb 18, 2026