CVE-2021-22869

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions 3.0.0 through 3.0.15 GitHub Enterprise Server versions 3.1.0 through 3.1.7

Description An improper access control issue in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to, affecting customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization due to improper authentication checks during the request, potentially causing code to be run unintentionally by the incorrect runner group.

Recommendations For GitHub Enterprise Server versions 3.0.0 through 3.0.15, update to version 3.0.16 or later to resolve the issue. For GitHub Enterprise Server versions 3.1.0 through 3.1.7, update to version 3.1.8 or later to resolve the issue.