CVE-2021-22866

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions 2.22.x prior to 2.22.13 GitHub Enterprise Server versions 3.0.x prior to 3.0.7

Description A UI misrepresentation issue was identified that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user. To exploit this, an attacker would need to create a GitHub App and have a user authorize it. During the initial authorization, all permissions are properly shown, but if the user revisits the authorization flow after the GitHub App configures additional user-level permissions, those extra permissions may not be displayed, leading to more permissions being granted than intended.

Recommendations For GitHub Enterprise Server versions 2.22.x prior to 2.22.13, update to version 2.22.13 to resolve the issue. For GitHub Enterprise Server versions 3.0.x prior to 3.0.7, update to version 3.0.7 to resolve the issue.