Lucene search

[email protected]CVE-2022-46257

HistoryMar 07, 2023 - 5:15 p.m.

CVE-2022-46257

2023-03-0717:15:12

CWE-668

CWE-200

[email protected]

web.nvd.nist.gov

github enterprise server

information disclosure

vulnerability

github actions

api

github bug bounty

nvd

cve-2022-46257

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.7%

JSON

An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

Affected configurations

Vulners

NVD

Node

githubenterprise_serverRange3.3–3.3.17

githubenterprise_serverRange3.4–3.4.12

githubenterprise_serverRange3.5–3.5.9

githubenterprise_serverRange3.6–3.6.5

VendorProductVersionCPE
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::

CNA Affected

[
  {
    "vendor": "GitHub",
    "product": "GitHub Enterprise Server",
    "versions": [
      {
        "version": "3.3",
        "status": "affected",
        "lessThan": "3.3.17",
        "versionType": "custom"
      },
      {
        "version": "3.4",
        "status": "affected",
        "lessThan": "3.4.12",
        "versionType": "custom"
      },
      {
        "version": "3.5",
        "status": "affected",
        "lessThan": "3.5.9",
        "versionType": "custom"
      },
      {
        "version": "3.6",
        "status": "affected",
        "lessThan": "3.6.5",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17

docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12

docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9

docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

44.7%

JSON

Related for CVE-2022-46257

cvelist1 prion1 nvd1