CVE-2023-6847

HIGH

GitHub Enterprise Server 3.9.0-3.9.6 - Improper Authentication Bypass via API Request

Title source: llm

Description

An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. This vulnerability affected all versions of GitHub Enterprise Server since 3.9 and was fixed in version 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.

References (3)

Core 3

Core References

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.10.4

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.11.1

Release Notes

https://docs.github.com/en/[email protected]/admin/release-notes#3.9.7

Scores

CVSS v3 7.5

EPSS 0.0081

EPSS Percentile 52.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-287

Status published

Products (2)

github/enterprise_server 3.11.0

github/enterprise_server 3.9.0 - 3.9.7

Published Dec 21, 2023

Tracked Since Feb 18, 2026