Input validation

2023-12-2121:15:00

PRIOn knowledge base

www.prio-n.com

github

enterprise server

privilege management

arbitrary workflows

scoped pat

vulnerability

nvd

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

CPENameOperatorVersion
enterprise_serverge3.10.0
enterprise_serverlt3.10.4
enterprise_serverge3.9.0
enterprise_serverlt3.9.7
enterprise_serverge3.8.0
enterprise_serverlt3.8.12
enterprise_servereq3.11.0

Name	Operator	Version
enterprise_server	ge	3.10.0
enterprise_server	lt	3.10.4
enterprise_server	ge	3.9.0
enterprise_server	lt	3.9.7
enterprise_server	ge	3.8.0
enterprise_server	lt	3.8.12
enterprise_server	eq	3.11.0

References

docs.github.com/en/[email protected]/admin/release-notes