OpenCVE

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Github	Enterprise Server

Configuration 1 [-]

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server:3.11.0:::::::*

No data.

References

Link	Providers
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published: 2023-12-21T20:45:46.269Z

Updated: 2024-08-02T22:32:09.453Z

Reserved: 2023-12-18T17:47:35.907Z

Link: CVE-2023-51379

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-21T21:15:13.480

Modified: 2024-11-21T08:37:59.450

Link: CVE-2023-51379

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-51379", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2023-12-18T17:47:35.907Z", "datePublished": "2023-12-21T20:45:46.269Z", "dateUpdated": "2024-08-02T22:32:09.453Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Enterprise Server", "vendor": "GitHub", "versions": [{"changes": [{"at": "3.7.19", "status": "unaffected"}], "lessThanOrEqual": "3.7.18", "status": "affected", "version": "3.7.0", "versionType": "semver"}, {"changes": [{"at": "3.8.12", "status": "unaffected"}], "lessThanOrEqual": "3.8.11", "status": "affected", "version": "3.8.0", "versionType": "semver"}, {"changes": [{"at": "3.9.7", "status": "unaffected"}], "lessThanOrEqual": "3.9.6", "status": "affected", "version": "3.9.0", "versionType": "semver"}, {"changes": [{"at": "3.10.4", "status": "unaffected"}], "lessThanOrEqual": "3.10.3", "status": "affected", "version": "3.10.0", "versionType": "semver"}, {"changes": [{"at": "3.11.1", "status": "unaffected"}], "lessThanOrEqual": "3.11.0", "status": "affected", "version": "3.11", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Douglas Day"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. "}], "value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.\u00a0"}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2023-12-21T20:45:46.269Z"}, "references": [{"url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19"}, {"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"}], "source": {"discovery": "EXTERNAL"}, "title": "Incorrect Authorization for Issue Comments in GitHub Enterprise Server ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:32:09.453Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4", "tags": ["x_transferred"]}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "572EEE88-8375-4D67-8C20-811438C3A34A", "versionEndExcluding": "3.17.19", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D983FF-FDDE-484C-AA34-31EB52E25EC2", "versionEndExcluding": "3.8.12", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B118EB53-4459-4817-8F74-002DBA4860DA", "versionEndExcluding": "3.9.7", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F65FB74F-11AB-439B-9CF0-9F08E03E4083", "versionEndExcluding": "3.10.4", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:3.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "AC723276-C3EE-4F79-857A-3A5C078C33E2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents:write and issues:read permissions. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.\u00a0"}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de autorizaci\u00f3n incorrecta en GitHub Enterprise Server que permit\u00eda actualizar los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad no permit\u00eda el acceso no autorizado a ning\u00fan contenido del repositorio, ya que tambi\u00e9n requer\u00eda permisos de contenido: problemas de lectura y escritura. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server desde la 3.7 y se solucion\u00f3 en las versiones 3.17.19, 3.8.12, 3.9.7, 3.10.4 y 3.11.1."}], "id": "CVE-2023-51379", "lastModified": "2024-11-21T08:37:59.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "product-cna@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-21T21:15:13.480", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "product-cna@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}