CVE-2022-23741

moderate-risk

Published 2022-12-14

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

Do I need to act?

-

0.87% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

7

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (1)

Enterprise Server

Affected Vendors

Github

References (8)

https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17

https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12

https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9

https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5

https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17

https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12

https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9

https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5

34

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal