CVE-2022-23741

Summary

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

Affected Software

VendorProductVersion RangeStatus
GitHubGitHub Enterprise Server3.3 < 3.3.17affected
GitHubGitHub Enterprise Server3.4 < 3.4.12affected
GitHubGitHub Enterprise Server3.5 < 3.5.9affected
GitHubGitHub Enterprise Server3.6 < 3.6.5affected

Weaknesses

  • CWE-863: CWE-863

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References