CVE-2022-23741
First published: Wed Dec 14 2022(Updated: )
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.
Credit: product-cna@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GitHub Enterprise Server | <3.3.17 | |
| GitHub Enterprise Server | >=3.4.0<3.4.12 | |
| GitHub Enterprise Server | >=3.5.0<3.5.9 | |
| GitHub Enterprise Server | >=3.6.0<3.6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-23741?
CVE-2022-23741 is an incorrect authorization vulnerability in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges.
How can an attacker exploit CVE-2022-23741?
To exploit CVE-2022-23741, an attacker would require an account with admin access to install a malicious GitHub App.
Which versions of GitHub Enterprise Server are affected by CVE-2022-23741?
GitHub Enterprise Server versions up to and including 3.3.17, 3.4.0 to 3.4.12, 3.5.0 to 3.5.9, and 3.6.0 to 3.6.5 are affected by CVE-2022-23741.
What is the severity of CVE-2022-23741?
CVE-2022-23741 has a severity score of 7.2, indicating a high severity vulnerability.
How was CVE-2022-23741 fixed?
CVE-2022-23741 was fixed in version 3.3.17, 3.4.12, 3.5.9, and 3.6.5 of GitHub Enterprise Server.
- collector/nvd-index
- vendor/github
- canonical/github enterprise server
- version/github enterprise server/3.4.0
- version/github enterprise server/3.5.0
- version/github enterprise server/3.6.0