Incorrect authorization check in GitHub Enterprise Server leading to escalation of privileges in GraphQL API requests from GitHub Apps using scoped user-to-server tokens
CVE-2022-23739

9.8CRITICAL

Key Information:

Vendor

Github
Status
Github Enterprise Server
Vendor
CVE Published:
17 January 2023

What is CVE-2022-23739?

An incorrect authorization vulnerability was discovered in GitHub Enterprise Server that enables privilege escalation through GraphQL API requests made by GitHub Apps. This issue allows an installed app in an organization to access and alter various organization-level resources independently of the provided permissions. Notably, resources tied to repositories—like repository contents, specific projects, issues, and pull requests—remained unaffected. All versions prior to 3.7.1 are susceptible to this vulnerability, which has been addressed in versions 3.3.16, 3.4.11, 3.5.8, 3.6.4, and 3.7.1 as part of GitHub's commitment to security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GitHub Enterprise Server 3.3 < 3.3.16

GitHub Enterprise Server 3.4 < 3.4.11

GitHub Enterprise Server 3.5 < 3.5.8

References

https://docs.github.com/en/enterprise-server%403.7/admin/...
https://docs.github.com/en/enterprise-server%403.3/admin/...
https://docs.github.com/en/enterprise-server%403.4/admin/...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ahacker1
JSON
.