CVE-2021-22862

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:github:3.0.0:-::::::
	cpe:2.3:a:github:github:3.0.0:rc1::::::
	cpe:2.3:a:github:github:3.0.0:rc2::::::

History

No history.

Information

Published : 2021-03-03 04:15

Updated : 2023-11-07 03:30

NVD link : CVE-2021-22862

Mitre link : CVE-2021-22862

CVE.ORG link : CVE-2021-22862

JSON object : View

Products Affected

github

github

CWE

NVD-CWE-Other CWE-285

Improper Authorization

{"id": "CVE-2021-22862", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2021-03-03T04:15:13.163", "references": [{"url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1", "source": "product-cna@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad de control de acceso inadecuada en GitHub Enterprise Server que permit\u00eda a un usuario autenticado con la capacidad de bifurcar un repositorio revelar los secretos de las acciones para el repositorio padre de la bifurcaci\u00f3n. Esta vulnerabilidad exist\u00eda debido a un fallo que permit\u00eda actualizar la referencia base de un pull request para que apuntara a un SHA arbitrario o a otro pull request fuera del repositorio fork. Al establecer esta referencia incorrecta en un PR, las restricciones que limitan las Acciones secretas enviadas a un flujo de trabajo desde los forks pod\u00edan ser eludidas. Esta vulnerabilidad afectaba a las versiones 3.0.0, 3.0.0.rc2 y 3.0.0.rc1 de GitHub Enterprise Server. Esta vulnerabilidad fue reportada a trav\u00e9s del programa GitHub Bug Bounty"}], "lastModified": "2023-11-07T03:30:26.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:github:3.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "61ABB5BF-C578-403B-8EF9-A28274F486FF"}, {"criteria": "cpe:2.3:a:github:github:3.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "634A0A6C-0F17-4DE2-B2D1-C3B0C5C8EDD6"}, {"criteria": "cpe:2.3:a:github:github:3.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FA74C51-5AB4-4B23-B24B-5629736B17E1"}], "operator": "OR"}]}], "sourceIdentifier": "product-cna@github.com"}