7
CVE-2023-46649
- EPSS 0.15%
- Published 21.12.2023 21:15:09
- Last modified 21.11.2024 08:28:58
- Source product-cna@github.com
- CVE-Watchlists
- Open
LoginA race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. To exploit this, an organization needs to be converted from a user. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.
Data is provided by the National Vulnerability Database (NVD)
Github ≫ Enterprise Server Version >= 3.7.0 < 3.7.19
Github ≫ Enterprise Server Version >= 3.8.0 < 3.8.12
Github ≫ Enterprise Server Version >= 3.9.0 < 3.9.7
Github ≫ Enterprise Server Version >= 3.10.0 < 3.10.4
Github ≫ Enterprise Server Version3.11.0
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.357 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| product-cna@github.com | 6.3 | 0.3 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
|
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.