CVE-2021-22862 Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks

2021-03-0303:25:22

CWE-285

GitHub_P

www.cve.org

0.001 Low

EPSS

Percentile

28.4%

JSON

An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program.

CNA Affected

[
  {
    "product": "GitHub Enterprise Server",
    "vendor": "GitHub",
    "versions": [
      {
        "lessThan": "3.0.1",
        "status": "affected",
        "version": "3.0",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1

0.001 Low

EPSS

Percentile

28.4%

JSON

Related for CVELIST:CVE-2021-22862