CVE-2023-51380

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4	Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1	Release Notes
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19	Release Notes
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12	Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7	Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4	Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1	Release Notes
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19	Release Notes
https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12	Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server:3.11.0:::::::*

History

21 Nov 2024, 08:37

Type	Values Removed	Values Added
References	~~() https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 - Release Notes~~	() https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 - Release Notes~~	() https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 - Release Notes~~	() https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 - Release Notes~~	() https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 - Release Notes~~	() https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 2.7

11 Jun 2024, 19:16

Type	Values Removed	Values Added
Summary	(en) An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.17.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.	(en) An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

29 Dec 2023, 19:22

Type	Values Removed	Values Added
References	~~() https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 -~~	() https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 -~~	() https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 -~~	() https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 -~~	() https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12 - Release Notes
References	~~() https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 -~~	() https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 - Release Notes
CVSS	v2 : ~~unknown~~ v3 : ~~2.7~~	v2 : unknown v3 : 4.3
First Time		Github Github enterprise Server
CPE		cpe:2.3:a:github:enterprise_server:::::::: cpe:2.3:a:github:enterprise_server:3.11.0:::::::*

22 Dec 2023, 12:18

Type	Values Removed	Values Added
Summary		(es) Se identificó una vulnerabilidad de autorización incorrecta en GitHub Enterprise Server que permitía leer los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad afectó a todas las versiones de GitHub Enterprise Server desde la 3.7 y se solucionó en las versiones 3.17.19, 3.8.12, 3.9.7, 3.10.4 y 3.11.1.

21 Dec 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-21 21:15

Updated : 2024-12-16 19:07

NVD link : CVE-2023-51380

Mitre link : CVE-2023-51380

CVE.ORG link : CVE-2023-51380

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2023-51380", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "product-cna@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-12-21T21:15:13.757", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.19", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token.\u00a0This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de autorizaci\u00f3n incorrecta en GitHub Enterprise Server que permit\u00eda leer los comentarios del problema con un token con un alcance incorrecto. Esta vulnerabilidad afect\u00f3 a todas las versiones de GitHub Enterprise Server desde la 3.7 y se solucion\u00f3 en las versiones 3.17.19, 3.8.12, 3.9.7, 3.10.4 y 3.11.1."}], "lastModified": "2024-12-16T19:07:20.613", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C219467-E463-4C59-AAD7-8BECDA8AA1AE", "versionEndExcluding": "3.7.19", "versionStartIncluding": "3.7.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3D983FF-FDDE-484C-AA34-31EB52E25EC2", "versionEndExcluding": "3.8.12", "versionStartIncluding": "3.8.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B118EB53-4459-4817-8F74-002DBA4860DA", "versionEndExcluding": "3.9.7", "versionStartIncluding": "3.9.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F65FB74F-11AB-439B-9CF0-9F08E03E4083", "versionEndExcluding": "3.10.4", "versionStartIncluding": "3.10.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:3.11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC723276-C3EE-4F79-857A-3A5C078C33E2"}], "operator": "OR"}]}], "sourceIdentifier": "product-cna@github.com"}

2.7 /10