CVE-2023-23763

Summary

An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program.

Affected Software

VendorProductVersion RangeStatus
GitHubEnterprise Server3.6.0 < 3.6.18affected
GitHubEnterprise Server3.7.0 < 3.7.16affected
GitHubEnterprise Server3.8.0 < 3.8.9affected
GitHubEnterprise Server3.9.0 < 3.9.4affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References