PT-2021-15238 · Github · Github Enterprise Server
Djcruz93
·
Published
2021-04-02
·
Updated
2022-10-25
·
CVE-2021-22865
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
GitHub Enterprise Server versions prior to 3.0.4
GitHub Enterprise Server versions prior to 2.22.10
GitHub Enterprise Server versions prior to 2.21.18
Description
An improper access control issue was identified that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this, an attacker would need to create a GitHub App and have a user authorize it, with the private repository metadata returned being limited to repositories owned by the user the token identifies.
Recommendations
For versions prior to 3.0.4, update to version 3.0.4 or later.
For versions prior to 2.22.10, update to version 2.22.10 or later.
For versions prior to 2.21.18, update to version 2.21.18 or later.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github Enterprise Server