Github Enterprise Server vulnerabilities
43 known vulnerabilities affecting github/github_enterprise_server.
Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH13MEDIUM24LOW1
Vulnerabilities
Page 2 of 3
CVE-2021-22870P3MEDIUMCVSS 6.5≥ 3.0, < 3.0.19≥ 3.1, < 3.1.11+1 more2021-11-10
CVE-2021-22870 [MEDIUM] CWE-23 CVE-2021-22870: A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server tha
A path traversal vulnerability was identified in GitHub Pages builds on GitHub Enterprise Server that could allow an attacker to read system files. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterp
nvd
CVE-2021-22861P3MEDIUMCVSS 6.5≥ 2.20, < 2.20.24≥ 2.21, < 2.21.15+2 more2021-03-03
CVE-2021-22861 [MEDIUM] CWE-285 CVE-2021-22861: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed aut
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default f
nvd
CVE-2023-22380P3MEDIUMCVSS 6.5≥ 3.7, < 3.7.62023-02-16
CVE-2023-22380 [MEDIUM] CWE-22 CVE-2023-22380: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary fil
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterpris
nvd
CVE-2024-5566P3MEDIUMCVSS 6.5≥ 3.9.0, ≤ 3.9.16≥ 3.10.0, ≤ 3.10.13+3 more2024-07-16
CVE-2024-5566 [MEDIUM] CWE-269 CVE-2024-5566: An improper privilege management vulnerability allowed users to migrate private repositories without
An improper privilege management vulnerability allowed users to migrate private repositories without having appropriate scopes defined on the related Personal Access Token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17.
nvd
CVE-2021-22862P3MEDIUMCVSS 6.5≥ 3.0, < 3.0.12021-03-03
CVE-2021-22862 [MEDIUM] CWE-285 CVE-2021-22862: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrar
nvd
CVE-2022-23737P3MEDIUMCVSS 6.5≥ 3.2, < 3.2.20≥ 3.3, < 3.3.15+3 more2022-12-01
CVE-2022-23737 [MEDIUM] CWE-269 CVE-2022-23737: An improper privilege management vulnerability was identified in GitHub Enterprise Server that allow
An improper privilege management vulnerability was identified in GitHub Enterprise Server that allowed users with improper privileges to create or delete pages via the API. To exploit this vulnerability, an attacker would need to be added to an organization's repo with write permissions. This vulnerability affected all versions of GitHub Enterprise
nvd
CVE-2022-46258P3MEDIUMCVSS 6.5≥ 3.3, < 3.3.16≥ 3.4, < 3.4.11+2 more2023-01-09
CVE-2022-46258 [MEDIUM] CWE-863 CVE-2022-46258: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a r
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to
nvd
CVE-2025-3246P3HIGHCVSS 7.6≥ 3.16, ≤ 3.16.12025-04-17
CVE-2025-3246 [HIGH] CWE-79 CVE-2025-3246: An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that al
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed cross-site scripting in GitHub Markdown that used `$$..$$` math blocks. Exploitation required access to the target GitHub Enterprise Server instance and privileged user interaction with the malicious elements. This vulnerability affected version 3.16
nvd
CVE-2021-22865P3MEDIUMCVSS 6.5≥ 3.0, < 3.0.4≥ 2.22, < 2.22.10+1 more2021-04-02
CVE-2021-22865 [MEDIUM] CWE-285 CVE-2021-22865: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed acc
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App
nvd
CVE-2024-5795P3MEDIUMCVSS 6.5≥ 3.9.0, ≤ 3.9.16≥ 3.10.0, ≤ 3.10.13+3 more2024-07-16
CVE-2024-5795 [MEDIUM] CWE-400 CVE-2024-5795: A Denial of Service vulnerability was identified in GitHub Enterprise Server that allowed an attacke
A Denial of Service vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause unbounded resource exhaustion by sending a large payload to the Git server. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in version 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnera
nvd
CVE-2024-5815P4MEDIUMCVSS 6.5≥ 3.9.0, ≤ 3.9.16≥ 3.10.0, ≤ 3.10.13+3 more2024-07-16
CVE-2024-5815 [MEDIUM] CWE-352 CVE-2024-5815: A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a
A Cross-Site Request Forgery vulnerability in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. A mitigating factor is that the attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. v
nvd
CVE-2022-23738P4MEDIUMCVSS 5.7≥ 3.2, < 3.2.20≥ 3.3, < 3.3.15+3 more2022-11-01
CVE-2022-23738 [MEDIUM] CWE-200 CVE-2022-23738: An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unaut
An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator
nvd
CVE-2024-5816P4MEDIUMCVSS 5.3≥ 3.10.0, ≤ 3.10.13≥ 3.11.0, ≤ 3.11.11+3 more2024-07-16
CVE-2024-5816 [MEDIUM] CWE-863 CVE-2024-5816: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a s
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed a suspended GitHub App to retain access to the repository via a scoped user access token. This was only exploitable in public repositories while private repositories were not impacted. This vulnerability affected all versions of GitHub Enterprise Server pr
nvd
CVE-2024-6336P4MEDIUMCVSS 5.3≥ 3.10.0, ≤ 3.10.13≥ 3.11.0, ≤ 3.11.11+3 more2024-07-16
CVE-2024-6336 [MEDIUM] CWE-200 CVE-2024-6336: A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information
A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability
nvd
CVE-2024-6395P4MEDIUMCVSS 5.3≥ 3.10.0, ≤ 3.10.13≥ 3.11.0, ≤ 3.11.11+3 more2024-07-16
CVE-2024-6395 [MEDIUM] CWE-200 CVE-2024-6395: An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attack
An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.
nvd
CVE-2022-23733P4MEDIUMCVSS 5.4≥ 3.3, < 3.3.11≥ 3.4, < 3.4.6+1 more2022-08-02
CVE-2022-23733 [MEDIUM] CWE-79 CVE-2022-23733: A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of
A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.3.11, 3.4.6 and 3.5.3. This vulnerability was repor
nvd
CVE-2024-8770P4MEDIUMCVSS 6.1≥ 3.14, ≤ 3.14.0≥ 3.13.0, ≤ 3.13.3+3 more2024-09-23
CVE-2024-8770 [MEDIUM] CWE-79 CVE-2024-8770: A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitH
A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitHub Enterprise Server, which allows attackers to steal sensitive user information via social engineering. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. This vuln
nvd
CVE-2024-7711P4MEDIUMCVSS 4.3≥ 3.11.0, ≤ 3.11.13≥ 3.12.0, ≤ 3.12.7+1 more2024-08-20
CVE-2024-7711 [MEDIUM] CWE-863 CVE-2024-7711: An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an att
An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This was only exploitable inside a public repository. This vulnerability affected GitHub Enterprise Server versions before 3.14 and was fixed in versions 3.13.3, 3
nvd
CVE-2020-10517P4MEDIUMCVSS 4.3≥ 2.21, < 2.21.6≥ 2.20, < 2.20.15+1 more2020-08-27
CVE-2020-10517 [MEDIUM] CWE-285 CVE-2020-10517: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed aut
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all ve
nvd
CVE-2024-9539P4MEDIUMCVSS 4.3≥ 3.14.0, ≤ 3.14.1≥ 3.13.0, ≤ 3.13.4+2 more2024-10-11
CVE-2024-9539 [MEDIUM] CWE-200 CVE-2024-9539: An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uplo
An information disclosure vulnerability was identified in GitHub Enterprise Server via attacker uploaded asset URL allowing the attacker to retrieve metadata information of a user who clicks on the URL and further exploit it to create a convincing phishing page. This required the attacker to upload malicious SVG files and phish a victim user to click
nvd