CVE-2021-41598

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.3

Description A UI misrepresentation issue was identified that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this, an attacker would need to create a GitHub App and have a user authorize it through the web authentication flow. The issue occurred when a user updated the set of repositories the app was installed on after the GitHub App had configured additional user-level permissions, leading to more permissions being granted than the user potentially intended.

Recommendations For versions prior to 3.2.5, update to version 3.2.5 or later. For versions prior to 3.1.13, update to version 3.1.13 or later. For versions prior to 3.0.21, update to version 3.0.21 or later. As a temporary workaround, consider restricting the use of GitHub Apps that configure additional user-level permissions until a patch is available.