Github Enterprise Server vulnerabilities
43 known vulnerabilities affecting github/github_enterprise_server.
Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH13MEDIUM24LOW1
Vulnerabilities
Page 1 of 3
CVE-2024-6800P2CRITICALCVSS 9.8≥ 3.13.0, ≤ 3.13.2≥ 3.12.0, ≤ 3.12.7+2 more2024-08-20
CVE-2024-6800 [CRITICAL] CWE-347 CVE-2024-6800: An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SA
An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when using SAML authentication with specific identity providers utilizing publicly exposed signed federation metadata XML. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or ga
nvd
CVE-2020-10518P2HIGHCVSS 8.8≥ 2.19, < 2.19.21≥ 2.20, < 2.20.15+1 more2020-08-27
CVE-2020-10518 [HIGH] CWE-77 CVE-2020-10518: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be explo
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulne
nvd
CVE-2020-10519P2HIGHCVSS 8.8≥ 2.20, < 2.20.24≥ 2.21, < 2.21.15+1 more2021-03-03
CVE-2020-10519 [HIGH] CWE-77 CVE-2020-10519: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be explo
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulne
nvd
CVE-2021-41599P2HIGHCVSS 8.8≥ 3.0, < 3.0.21≥ 3.1, < 3.1.13+1 more2022-02-18
CVE-2021-41599 [HIGH] CWE-77 CVE-2021-41599: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be explo
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Serve
nvd
CVE-2022-23734P2HIGHCVSS 8.8≥ 3.2, < 3.2.16≥ 3.3, < 3.3.11+2 more2022-10-19
CVE-2022-23734 [HIGH] CWE-502 CVE-2022-23734: A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that co
A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This vulnerabil
nvd
CVE-2021-22864P2HIGHCVSS 8.8≥ 2.21, < 2.21.17≥ 2.22, < 2.22.9+1 more2021-03-23
CVE-2021-22864 [HIGH] CWE-77 CVE-2021-22864: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be explo
A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to override environment variables leading to code execution on the GitHub Enterprise Server instance.
nvd
CVE-2022-46256P2HIGHCVSS 8.8≥ 3.3, < 3.3.17≥ 3.4, < 3.4.12+3 more2022-12-14
CVE-2022-46256 [HIGH] CWE-22 CVE-2022-46256: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code e
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5 and 3.7.2. This vu
nvd
CVE-2022-46255P2CRITICALCVSS 9.8≥ 3.7, < 3.7.12022-12-14
CVE-2022-46255 [CRITICAL] CWE-22 CVE-2022-46255: An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHu
An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of
nvd
CVE-2021-22869P3CRITICALCVSS 9.8≥ 3.0, < 3.0.16≥ 3.1, < 3.1.82021-09-24
CVE-2021-22869 [CRITICAL] CWE-668 CVE-2021-22869: An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execu
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups wi
nvd
CVE-2022-23740P3HIGHCVSS 8.8≥ 3.7, < 3.7.12022-11-23
CVE-2022-23740 [HIGH] CWE-88 CVE-2022-23740: CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identifie
CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise
nvd
CVE-2022-23739P3CRITICALCVSS 9.8≥ 3.3, < 3.3.16≥ 3.4, < 3.4.11+3 more2023-01-17
CVE-2022-23739 [CRITICAL] CWE-863 CVE-2022-23739: An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for es
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted pe
nvd
CVE-2020-10516P3CRITICALCVSS 9.8≥ 2.20, < 2.20.9≥ 2.19, < 2.19.15+1 more2020-06-03
CVE-2020-10516 [CRITICAL] CWE-285 CVE-2020-10516: An improper access control vulnerability was identified in the GitHub Enterprise Server API that all
An improper access control vulnerability was identified in the GitHub Enterprise Server API that allowed an organization member to escalate permissions and gain access to unauthorized repositories within an organization. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.21 and was fixed in 2.20.9, 2.19.15, and 2.18.20
nvd
CVE-2022-23732P3HIGHCVSS 8.8≥ 3.1, < 3.1.19≥ 3.2, < 3.2.11+2 more2022-04-05
CVE-2022-23732 [HIGH] CWE-23 CVE-2022-23732: A path traversal vulnerability was identified in GitHub Enterprise Server management console that al
A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the management console. This vulnerability affected all versio
nvd
CVE-2021-22863P3HIGHCVSS 8.1≥ 2.20, < 2.20.24≥ 2.21, < 2.21.15+2 more2021-03-03
CVE-2021-22863 [HIGH] CWE-285 CVE-2021-22863: An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API
An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull request
nvd
CVE-2024-2443P3HIGHCVSS 7.2≥ 3.8.0, < 3.8.17≥ 3.9.0, < 3.9.12+3 more2024-03-20
CVE-2024-2443 [HIGH] CWE-20 CVE-2024-2443: A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring GeoJSON settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console wi
nvd
CVE-2024-5746P3HIGHCVSS 7.2≥ 3.9.0, ≤ 3.9.15≥ 3.10.0, ≤ 3.10.12+2 more2024-06-20
CVE-2024-5746 [HIGH] CWE-918 CVE-2024-5746: A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed
A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploitation required authenticated access to GitHub Enterprise Server as a user with the Site Administrator role. This vulne
nvd
CVE-2022-23741P3HIGHCVSS 7.2≥ 3.3, < 3.3.17≥ 3.4, < 3.4.12+2 more2022-12-14
CVE-2022-23741 [HIGH] CWE-863 CVE-2022-23741: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a s
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerabilit
nvd
CVE-2024-5817P3MEDIUMCVSS 6.5≥ 3.10.0, ≤ 3.10.13≥ 3.11.0, ≤ 3.11.11+3 more2024-07-16
CVE-2024-5817 [MEDIUM] CWE-863 CVE-2024-5817: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed rea
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed read access to issue content via GitHub Projects. This was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. This vulnerability affected all versions of GitHub Enterprise Server prior to
nvd
CVE-2024-6337P3MEDIUMCVSS 6.5≥ 3.10.0, ≤ 3.10.15≥ 3.11.0, ≤ 3.11.14+2 more2024-08-20
CVE-2024-6337 [MEDIUM] CWE-863 CVE-2024-6337: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a G
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a GitHub App with only content: read and pull_request_write: write permissions to read issue content inside a private repository. This was only exploitable via user access token and installation access token was not impacted. This vulnerability affected al
nvd
CVE-2021-22867P3MEDIUMCVSS 6.5≥ 2.22, < 2.22.22≥ 3.0, < 3.0.16+1 more2021-07-14
CVE-2021-22867 [MEDIUM] CWE-77 CVE-2021-22867: A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited wh
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would n
nvd
1 / 3Next →