CVE-2021-22862

Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program.

Se identificó una vulnerabilidad de control de acceso inadecuada en GitHub Enterprise Server que permitía a un usuario autenticado con la capacidad de bifurcar un repositorio revelar los secretos de las acciones para el repositorio padre de la bifurcación. Esta vulnerabilidad existía debido a un fallo que permitía actualizar la referencia base de un pull request para que apuntara a un SHA arbitrario o a otro pull request fuera del repositorio fork. Al establecer esta referencia incorrecta en un PR, las restricciones que limitan las Acciones secretas enviadas a un flujo de trabajo desde los forks podían ser eludidas. Esta vulnerabilidad afectaba a las versiones 3.0.0, 3.0.0.rc2 y 3.0.0.rc1 de GitHub Enterprise Server. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty

*Credits: Teddy Katz

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-03-03 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-285: Improper Authorization

CAPEC

References (1)

URL	Tag	Source
https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Github Search vendor "Github"		Github Search vendor "Github" for product "Github"				3.0.0 Search vendor "Github" for product "Github" and version "3.0.0"		-		Affected
Github Search vendor "Github"		Github Search vendor "Github" for product "Github"				3.0.0 Search vendor "Github" for product "Github" and version "3.0.0"		rc1		Affected
Github Search vendor "Github"		Github Search vendor "Github" for product "Github"				3.0.0 Search vendor "Github" for product "Github" and version "3.0.0"		rc2		Affected