CVE-2023-23763: 
GitHub Enterprise Server vulnerability analysis and mitigation

An authorization/sensitive information disclosure vulnerability (CVE-2023-23763) was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program (NVD, GitHub Release Notes).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness has been categorized under CWE-862 (Missing Authorization) by NIST and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) by GitHub (NVD).

The vulnerability allowed unauthorized access to private repository content through forked repositories. Specifically, when a repository's visibility was changed to private, forks of that repository could still maintain read access to the upstream repository, potentially exposing sensitive information (NVD).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.9.4, 3.8.9, 3.7.16, and 3.6.18. Organizations using affected versions should upgrade to the patched versions to mitigate this security risk (GitHub Release Notes).