CVE-2023-6804

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Dec 21, 2023

Updated: Dec 29, 2023

CWE ID 269

Summary

CVE-2023-6804 is a privilege misconfiguration vulnerability affecting all versions of GitHub Enterprise Server from 3.8 to 3.11.1. This issue stems from improper handling of Pull Access Tokens (PATs), which allowed unauthorized users to commit and execute arbitrary workflows. Exploitation required a pre-existing workflow in the target repository. GitHub released patches in versions 3.8.12, 3.9.7, 3.10.4, and 3.11.1 to address this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Github Enterprise Server

Affected Vendors

GitHub

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/ty7RwV
https://www.cve.org/CVERecord?id=CVE-2023-6804
https://nvd.nist.gov/vuln/detail/CVE-2023-6804

Back to Vulnerability Database