CVE-2023-46648: 
GitHub Enterprise Server vulnerability analysis and mitigation

An insufficient entropy vulnerability (CVE-2023-46648) was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in versions 3.8.12, 3.9.7, 3.10.4, and 3.11.1 (NVD).

The vulnerability is classified as an insufficient entropy issue (CWE-331). The CVSS v3.1 base score is 8.3 HIGH with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with high attack complexity, requires no privileges but does require user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

If successfully exploited, an attacker could gain unauthorized access to the GHES Management Console by brute forcing user invitations. This could potentially lead to administrative access to the GitHub Enterprise Server instance, compromising the security of the entire system (NVD).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Organizations running affected versions should upgrade to the patched versions immediately. The vulnerability was reported through the GitHub Bug Bounty program (GitHub Release Notes).