8.3
CVE-2023-46648
- EPSS 1.03%
- Published 21.12.2023 21:15:09
- Last modified 21.11.2024 08:28:58
- Source product-cna@github.com
- CVE-Watchlists
- Open
LoginAn insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.
Data is provided by the National Vulnerability Database (NVD)
Github ≫ Enterprise Server Version >= 3.8.0 < 3.8.12
Github ≫ Enterprise Server Version >= 3.9.0 < 3.9.7
Github ≫ Enterprise Server Version >= 3.10.0 < 3.10.4
Github ≫ Enterprise Server Version3.11.0
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.03% | 0.766 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| product-cna@github.com | 8.3 | 1.6 | 6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
|
CWE-331 Insufficient Entropy
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.