Which versions of GitHub Enterprise Server are affected by CVE-2022-23741?

GitHub Enterprise Server versions up to and including 3.3.17, 3.4.0 to 3.4.12, 3.5.0 to 3.5.9, and 3.6.0 to 3.6.5 are affected by CVE-2022-23741.

What is the severity of CVE-2022-23741?

CVE-2022-23741 has a severity score of 7.2, indicating a high severity vulnerability.

How was CVE-2022-23741 fixed?

CVE-2022-23741 was fixed in version 3.3.17, 3.4.12, 3.5.9, and 3.6.5 of GitHub Enterprise Server.

Vulnerability/
CVE-2022-23741

high

7.2

CWE

863

14/12/2022

3/8/2024

CVE-2022-23741: Incorrect authorization in GitHub Enterprise Server token generation leading to full admin access

Q: What is CVE-2022-23741?

CVE-2022-23741 is an incorrect authorization vulnerability in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges.

Q: How can an attacker exploit CVE-2022-23741?

To exploit CVE-2022-23741, an attacker would require an account with admin access to install a malicious GitHub App.

First published: Wed Dec 14 2022(Updated: )

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

Credit: product-cna@github.com

Affected Software	Affected Version	How to fix
GitHub Enterprise Server	<3.3.17
GitHub Enterprise Server	>=3.4.0<3.4.12
GitHub Enterprise Server	>=3.5.0<3.5.9
GitHub Enterprise Server	>=3.6.0<3.6.5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-23741?
CVE-2022-23741 is an incorrect authorization vulnerability in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges.
How can an attacker exploit CVE-2022-23741?
To exploit CVE-2022-23741, an attacker would require an account with admin access to install a malicious GitHub App.
Which versions of GitHub Enterprise Server are affected by CVE-2022-23741?
GitHub Enterprise Server versions up to and including 3.3.17, 3.4.0 to 3.4.12, 3.5.0 to 3.5.9, and 3.6.0 to 3.6.5 are affected by CVE-2022-23741.
What is the severity of CVE-2022-23741?
CVE-2022-23741 has a severity score of 7.2, indicating a high severity vulnerability.
How was CVE-2022-23741 fixed?
CVE-2022-23741 was fixed in version 3.3.17, 3.4.12, 3.5.9, and 3.6.5 of GitHub Enterprise Server.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/title
agent/references
agent/last-modified-date
agent/severity
agent/author
agent/weakness
agent/description
agent/event
agent/tags
agent/first-publish-date
vendor/github
canonical/github enterprise server
version/github enterprise server/3.4.0
version/github enterprise server/3.5.0
version/github enterprise server/3.6.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.