CVE-2023-6847: 
GitHub Enterprise Server vulnerability analysis and mitigation

An improper authentication vulnerability (CVE-2023-6847) was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. The vulnerability was discovered and reported through the GitHub Bug Bounty program and affected all versions of GitHub Enterprise Server since 3.9. The issue was fixed in versions 3.9.7, 3.10.4, and 3.11.1 (NVD).

The vulnerability is classified as CWE-287 (Improper Authentication) with a CVSS v3.1 base score of 7.5 HIGH. The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U), with No impact on confidentiality (C:N), High impact on integrity (I:H), and No impact on availability (A:N) (NVD).

To exploit this vulnerability, an attacker would need network access to the Enterprise Server appliance configured in Private Mode. The successful exploitation could lead to a bypass of the Private Mode security feature (NVD).

The vulnerability has been patched in GitHub Enterprise Server versions 3.9.7, 3.10.4, and 3.11.1. Users should upgrade to these or later versions to mitigate the vulnerability (GitHub Release Notes).