CVE-2021-22862

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions 3.0.0, 3.0.0.rc2, and 3.0.0.rc1

Description An improper access control issue was identified that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This issue existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed.

Recommendations For GitHub Enterprise Server version 3.0.0, update to a version that includes the fix for this issue. For GitHub Enterprise Server version 3.0.0.rc2, update to a version that includes the fix for this issue. For GitHub Enterprise Server version 3.0.0.rc1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the ability to fork repositories and update the base reference of pull requests to minimize the risk of exploitation.