CVE-2021-22863: Improper access control in GitHub Enterprise Server leading to unauthorized changes to maintainer permissions on pull requests
First published: Wed Mar 03 2021(Updated: )
An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.12.22 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program.
Credit: product-cna@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitHub GitHub | >=2.12.22<2.20.24 | |
| GitHub GitHub | >=2.21.0<2.21.15 | |
| GitHub GitHub | >=2.22.0<2.22.7 | |
| GitHub GitHub | >=3.0.0<3.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.github.com/en/enterprise-server@2.20/admin/release-notes#2.20.24
- https://docs.github.com/en/enterprise-server@2.21/admin/release-notes#2.21.15
- https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.7
- https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1
- https://docs.github.com/en/enterprise-server%402.20/admin/release-notes#2.20.24
- https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.15
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.7
- https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1
Frequently Asked Questions
What is CVE-2021-22863?
CVE-2021-22863 is an improper access control vulnerability identified in the GitHub Enterprise Server GraphQL API.
What is the severity of CVE-2021-22863?
The severity of CVE-2021-22863 is high with a CVSS score of 8.1.
How does CVE-2021-22863 affect GitHub Enterprise Server?
CVE-2021-22863 affects GitHub Enterprise Server versions from 2.12.22 to 2.20.24, versions from 2.21.0 to 2.21.15, and versions from 2.22.0 to 2.22.7.
What can an attacker do by exploiting CVE-2021-22863?
By exploiting CVE-2021-22863, an attacker can modify the maintainer collaboration permission of a pull request without proper authorization.
How can I fix CVE-2021-22863?
To fix CVE-2021-22863, update your GitHub Enterprise Server to the recommended versions: 2.20.24, 2.21.15, or 2.22.7.
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/weakness
- agent/severity
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- agent/tags
- agent/event
- agent/first-publish-date
- vendor/github
- canonical/github github
- version/github github/2.12.22
- version/github github/2.21.0
- version/github github/2.22.0
- version/github github/3.0.0