Improper access control in GitHub Enterprise Server allows self-hosted runners to execute outside their control group
CVE-2021-22869

9.8CRITICAL

Key Information:

Vendor: Github
Status: Github Enterprise Server
Vendor: CVE Published:; 24 September 2021

What is CVE-2021-22869?

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GitHub Enterprise Server 3.0 < 3.0.16

GitHub Enterprise Server 3.1 < 3.1.8

References

https://docs.github.com/en/enterprise-server%403.0/admin/...

x_refsource_MISC

https://docs.github.com/en/enterprise-server%403.1/admin/...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 24, 2021
Vulnerability Reserved
Jan 6, 2021

JSON

Github

What is CVE-2021-22869?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.