// For flags

CVE-2021-22863

Improper access control in GitHub Enterprise Server leading to unauthorized changes to maintainer permissions on pull requests

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.12.22 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program.

Se identificó una vulnerabilidad de control de acceso inadecuada en la API GraphQL de GitHub Enterprise Server que permitía a los usuarios autenticados de la instancia modificar el permiso de colaboración del mantenedor de un pull request sin la autorización adecuada. Al explotar esta vulnerabilidad, un atacante podría obtener acceso a las ramas principales de los pull requests abiertos en los repositorios de los que es mantenedor. La bifurcación está deshabilitada por defecto para los repositorios privados propiedad de la organización y evitaría esta vulnerabilidad. Además, las protecciones de las ramas, como las revisiones requeridas de las solicitudes de extracción o las comprobaciones de estado, impedirían que los commits no autorizados se fusionaran sin más revisión o validación. Esta vulnerabilidad afectaba a todas las versiones de GitHub Enterprise Server desde la versión 2.12.22 y fue corregida en las versiones 2.20.24, 2.21.15, 2.22.7 y 3.0.1. Esta vulnerabilidad fue reportada a través del programa GitHub Bug Bounty

*Credits: Teddy Katz
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-06 CVE Reserved
  • 2021-03-03 CVE Published
  • 2023-11-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-285: Improper Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Github
Search vendor "Github"
 Github
Search vendor "Github" for product "Github"
 >= 2.12.22 < 2.20.24
Search vendor "Github" for product "Github" and version " >= 2.12.22 < 2.20.24"
enterprise
Affected
Github
Search vendor "Github"
 Github
Search vendor "Github" for product "Github"
 >= 2.21.0 < 2.21.15
Search vendor "Github" for product "Github" and version " >= 2.21.0 < 2.21.15"
enterprise
Affected
Github
Search vendor "Github"
 Github
Search vendor "Github" for product "Github"
 >= 2.22.0 < 2.22.7
Search vendor "Github" for product "Github" and version " >= 2.22.0 < 2.22.7"
enterprise
Affected
Github
Search vendor "Github"
 Github
Search vendor "Github" for product "Github"
 >= 3.0.0 < 3.0.1
Search vendor "Github" for product "Github" and version " >= 3.0.0 < 3.0.1"
-
Affected