CVE-2021-22869

Improper access control in GitHub Enterprise Server allows self-hosted runners to execute outside their control group

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.

Una vulnerabilidad de control de acceso inapropiada en GitHub Enterprise Server permitió que un trabajo de workflow se ejecutara en un grupo de ejecución auto alojado al que no debería haber tenido acceso. Esto afecta a clientes que usan grupos de ejecutores auto hosteado para el control de acceso. Un repositorio con acceso a un grupo de ejecutores de empresa podía acceder a todos los grupos de ejecutores de empresa de la organización debido a unas comprobaciones de autenticación inapropiadas durante la petición. Esto podría causar una ejecución involuntaria de código por parte del grupo de ejecutores incorrecto. Esta vulnerabilidad afectaba a las versiones de GitHub Enterprise Server desde la 3.0.0 a 3.0.15 y desde la 3.1.0 a 3.1.7 y se corrigió en las versiones 3.0.16 y 3.1.8.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-09-24 CVE Published
2024-06-09 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication
CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (2)

URL	Tag	Source
https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.16	X_refsource_misc
https://docs.github.com/en/enterprise-server%403.1/admin/release-notes#3.1.8	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Github Search vendor "Github"		Enterprise Server Search vendor "Github" for product "Enterprise Server"				>= 3.0.0 < 3.0.16 Search vendor "Github" for product "Enterprise Server" and version " >= 3.0.0 < 3.0.16"		-		Affected
Github Search vendor "Github"		Enterprise Server Search vendor "Github" for product "Enterprise Server"				>= 3.1.0 < 3.1.8 Search vendor "Github" for product "Enterprise Server" and version " >= 3.1.0 < 3.1.8"		-		Affected