CVE-2023-46648

HIGH Year: 2023
CVSS v3 Score
7.5
High
Weakness Type
CWE-331
View all →

Vulnerability Description

An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.

Related Vulnerabilities

CVE-2001-0950

HIGH
CVSS:7.5(High)

ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generat...

CWE-3312001

CVE-2015-3405

HIGH
CVSS:7.5(High)

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is betwee...

CWE-3312015

CVE-2015-7764

HIGH
CVSS:7.5(High)

Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode.

CWE-3312015

CVE-2015-8851

HIGH
CVSS:7.5(High)

node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing.

CWE-3312015

CVE-2018-15812

HIGH
CVSS:7.5(High)

DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

CWE-3312018

CVE-2018-18326

HIGH
CVSS:7.5(High)

DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15...

CWE-3312018