CVE-2021-22865

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's web authentication flow to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability was reported via the GitHub Bug Bounty program.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:50

Type Values Removed Values Added
References () https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.18 - () https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.18 -
References () https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.10 - () https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.10 -
References () https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.4 - () https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.4 -

07 Nov 2023, 03:30

Type Values Removed Values Added
References
  • {'url': 'https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.18', 'name': 'https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.18', 'tags': ['Release Notes', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.4', 'name': 'https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.4', 'tags': ['Release Notes', 'Vendor Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.10', 'name': 'https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.10', 'tags': ['Release Notes', 'Vendor Advisory'], 'refsource': 'MISC'}
  • () https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.4 -
  • () https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.18 -
  • () https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.10 -

Information

Published : 2021-04-02 18:15

Updated : 2024-11-21 05:50


NVD link : CVE-2021-22865

Mitre link : CVE-2021-22865

CVE.ORG link : CVE-2021-22865


JSON object : View

Products Affected

github

  • enterprise_server
CWE
CWE-285

Improper Authorization

NVD-CWE-Other