What is CVE-2021-22866?

CVE-2021-22866 is a UI misrepresentation vulnerability identified in GitHub Enterprise Server that allows more permissions to be granted during a GitHub App's user-authorization web flow than is displayed to the user during approval.

What is the severity of CVE-2021-22866?

The severity of CVE-2021-22866 is high with a CVSS score of 8.8.

How does CVE-2021-22866 exploit work?

To exploit CVE-2021-22866, an attacker would need to create a GitHub App and trick the user into approving more permissions than displayed.

Which versions of GitHub Enterprise Server are affected by CVE-2021-22866?

GitHub Enterprise Server versions between 2.20.0 and 2.22.13, as well as versions between 3.0.0 and 3.0.7, are affected by CVE-2021-22866.

How can I fix CVE-2021-22866?

To fix CVE-2021-22866, update to GitHub Enterprise Server version 2.22.13 or higher for the 2.x line, and version 3.0.7 or higher for the 3.x line.

Vulnerability/
CVE-2021-22866

high

8.8

CWE

1021 451

14/5/2021

3/8/2024

CVE-2021-22866: UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user resources

First published: Fri May 14 2021(Updated: )

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program.

Credit: product-cna@github.com

Affected Software	Affected Version	How to fix
GitHub Enterprise Server	>=2.20.0<2.22.13
GitHub Enterprise Server	>=3.0.0<3.0.7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-22866?
CVE-2021-22866 is a UI misrepresentation vulnerability identified in GitHub Enterprise Server that allows more permissions to be granted during a GitHub App's user-authorization web flow than is displayed to the user during approval.
What is the severity of CVE-2021-22866?
The severity of CVE-2021-22866 is high with a CVSS score of 8.8.
How does CVE-2021-22866 exploit work?
To exploit CVE-2021-22866, an attacker would need to create a GitHub App and trick the user into approving more permissions than displayed.
Which versions of GitHub Enterprise Server are affected by CVE-2021-22866?
GitHub Enterprise Server versions between 2.20.0 and 2.22.13, as well as versions between 3.0.0 and 3.0.7, are affected by CVE-2021-22866.
How can I fix CVE-2021-22866?
To fix CVE-2021-22866, update to GitHub Enterprise Server version 2.22.13 or higher for the 2.x line, and version 3.0.7 or higher for the 3.x line.

collector/nvd-index
agent/weakness
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/references
agent/author
agent/last-modified-date
agent/title
agent/tags
agent/description
agent/event
agent/first-publish-date
vendor/github
canonical/github enterprise server
version/github enterprise server/2.20.0
version/github enterprise server/3.0.0