CVE-2023-46645: 
GitHub Enterprise Server vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2023-46645) was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. The vulnerability was discovered and reported through the GitHub Bug Bounty program and affected all versions of GitHub Enterprise Server since 3.7. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 6.8 MEDIUM (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). The vulnerability allows arbitrary file reading through path traversal when building GitHub Pages sites (NVD).

The vulnerability allows an attacker with permissions to create and build GitHub Pages sites to perform arbitrary file reading on the GitHub Enterprise Server instance. This could potentially expose sensitive information stored on the server (NVD).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Organizations should upgrade to these or later versions to mitigate the vulnerability (GitHub Release Notes).