CVE-2023-6847 – This CVE describes an authentication bypass vul... (How to Fix)

Q: What is the severity of CVE-2023-6847?

CVE-2023-6847 has a CVSS score of 7.5 (HIGH). This CVE describes an authentication bypass vulnerability in GitHub Enterprise Server's Private Mode. Attackers with network access can craft API requests to bypass authentication and access private resources. All GitHub Enterprise Server installations since version 3.9 are affected unless patched.

📋 TL;DR

This CVE describes an authentication bypass vulnerability in GitHub Enterprise Server's Private Mode. Attackers with network access can craft API requests to bypass authentication and access private resources. All GitHub Enterprise Server installations since version 3.9 are affected unless patched.

💻 Affected Systems

Products:

GitHub Enterprise Server

Versions: All versions since 3.9 up to but not including 3.9.7, 3.10.4, and 3.11.1

Operating Systems: GitHub Enterprise Server appliance

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances configured in Private Mode. Public Mode instances are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers gain full access to private repositories, source code, secrets, and sensitive data stored in the GitHub Enterprise Server instance.

🟠

Likely Case

Attackers bypass Private Mode to access internal repositories, potentially exposing proprietary code, credentials, and intellectual property.

🟢

If Mitigated

With proper network segmentation and access controls, only authorized internal users could potentially exploit this, limiting exposure.

🌐 Internet-Facing: HIGH if the GitHub Enterprise Server is exposed to the internet, as attackers could directly exploit the vulnerability.

🏢 Internal Only: MEDIUM as attackers would need internal network access, but insider threats or compromised internal systems could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the appliance and knowledge of the specially crafted API request. No authentication is required to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.7, 3.10.4, or 3.11.1

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Download the appropriate patch version from GitHub Enterprise. 3. Follow the upgrade instructions for your version. 4. Restart the appliance after upgrade completion.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to GitHub Enterprise Server to only trusted IP addresses and networks.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate GitHub Enterprise Server from untrusted networks
Enable enhanced logging and monitoring for suspicious API requests to the appliance

🔍 How to Verify

Check if Vulnerable:

Check your GitHub Enterprise Server version via the Management Console or SSH. If version is between 3.9.0-3.9.6, 3.10.0-3.10.3, or 3.11.0, you are vulnerable.

Check Version:

ssh admin@your-gh-enterprise-server 'ghes-version' or check via Management Console

Verify Fix Applied:

After patching, verify the version shows 3.9.7, 3.10.4, or 3.11.1 or higher. Test Private Mode functionality to ensure authentication is properly enforced.

📡 Detection & Monitoring

Log Indicators:

Unusual API requests to authentication endpoints
Access to private resources from unauthenticated sources
Failed authentication attempts followed by successful access

Network Indicators:

API requests with unusual headers or parameters to authentication endpoints
Traffic patterns suggesting authentication bypass

SIEM Query:

source="github-enterprise" AND (event_type="api_request" AND (uri_path="/api/v3/*" OR uri_path="/api/graphql") AND user="anonymous")

📊 Metadata

CVE ID: CVE-2023-6847

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-287

Published: December 21, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 Release Notes
https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4 Release Notes
https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1 Release Notes
https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6847, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Server by Github

Enterprise Server by Github

Enterprise Server by Github

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Access Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities