CVE-2022-23738

CVE-2022-23738: Incomplete cache verification issue in GitHub Enterprise Server leading to exposure of private repo files

Vendor Github
Product GitHub Enterprise Server
Weakness CWE-200 · Info exposure
Published November 1, 2022
Last update May 6, 2025
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to create a public repository, and have a site administrator visit a specially crafted URL. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.2.20, 3.3.15, 3.4.10, 3.5.7, 3.6.3. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

November 1, 2022 CVE published
May 6, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-30096 Windows Cryptographic Services Information Disclosure Vulnerability CVE-2024-2725 Exposure of Sensitive Information vulnerability in the CIGESv2 system CVE-2024-8756 Quform - WordPress Form Builder <= 2.20.0 - Unauthenticated Sensitive Information Exposure CVE-2026-20164 Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise CVE-2026-41183 FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations