cbcvebase.
CVE-2022-23741
published 2022-12-14

CVE-2022-23741: An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner…

PriorityP343high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.10%
61.5th percentile
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

Affected

8 ranges
VendorProductVersion rangeFixed in
githubenterprise_server< 3.3.173.3.17
githubenterprise_server>= 3.4.0 < 3.4.123.4.12
githubenterprise_server>= 3.5.0 < 3.5.93.5.9
githubenterprise_server>= 3.6.0 < 3.6.53.6.5
githubgithub_enterprise_server>= 3.3 < 3.3.173.3.17
githubgithub_enterprise_server>= 3.4 < 3.4.123.4.12
githubgithub_enterprise_server>= 3.5 < 3.5.93.5.9
githubgithub_enterprise_server>= 3.6 < 3.6.53.6.5
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.