CVE-2023-6746: 
GitHub Enterprise Server vulnerability analysis and mitigation

An insertion of sensitive information into log file vulnerability (CVE-2023-6746) was identified in the log files for a GitHub Enterprise Server back-end service. The vulnerability was discovered and disclosed on December 21, 2023, affecting all versions of GitHub Enterprise Server since 3.7. The issue was fixed in versions 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1 (NVD).

The vulnerability could permit an adversary in the middle attack when combined with other phishing techniques. The CVSS v3.1 base score is 8.1 HIGH (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N) according to GitHub's assessment, while NIST assessed it as 5.7 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N). The vulnerability is classified as CWE-532: Insertion of Sensitive Information into Log File (NVD).

To exploit this vulnerability, an attacker would need access to either the log files for the GitHub Enterprise Server appliance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. This could potentially expose sensitive information stored in the logs (NVD).

The vulnerability has been fixed in GitHub Enterprise Server versions 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Users should upgrade to these or later versions to mitigate the risk (GitHub Release Notes).