CVE-2022-23739

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.7.1

Description An incorrect authorization issue was identified, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This issue enabled an app installed on an organization to access and modify most organization-level resources not tied to a repository, such as users and organization-wide projects, regardless of granted permissions. Resources associated with repositories, like repository file content, repository-specific projects, issues, or pull requests, were not impacted. The issue was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 3.3.16, update to version 3.3.16 or later. For GitHub Enterprise Server versions 3.3.x, update to version 3.3.16 or later. For GitHub Enterprise Server versions 3.4.x, update to version 3.4.11 or later. For GitHub Enterprise Server versions 3.5.x, update to version 3.5.8 or later. For GitHub Enterprise Server versions 3.6.x, update to version 3.6.4 or later. For GitHub Enterprise Server versions prior to 3.7.1, update to version 3.7.1.