16 matches found
CVE-2022-23739
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that a...
EUVD-2022-7643
Malicious code in bioql PyPI...
CVE-2024-8810 Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed GitHub Apps to grant themselves write access
A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. This vulnerability affected all versions of GitHu...
CVE-2022-23739
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that a...
CVE-2022-23739
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that a...
Authorization
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that a...
CVE-2022-23739 Incorrect authorization check in GitHub Enterprise Server leading to escalation of privileges in GraphQL API requests from GitHub Apps using scoped user-to-server tokens
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that a...
PT-2023-12733 · Github · Github Enterprise Server
Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.7.1 Description: An incorrect authorization issue was identified, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This issue enabled an app installed on an...
CVE-2022-23739 Incorrect authorization check in GitHub Enterprise Server leading to escalation of privileges in GraphQL API requests from GitHub Apps using scoped user-to-server tokens
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that a...
CVE-2022-23739
CVE-2022-23739 concerns an incorrect authorization flaw in GitHub Enterprise Server that allowed a GitHub App to escalate privileges via GraphQL API requests. The issue could let an app installed in an organization access and modify most organization‑level resources not tied to a repository (e.g....
CVE-2022-39304
ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request...
Hardcoded credentials
ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request...
CVE-2022-39304 ghinstallation returns app JWT in error responses
ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request...
CVE-2022-39304 ghinstallation returns app JWT in error responses
ghinstallation provides transport, which implements http.RoundTripper to provide authentication as an installation for GitHub Apps. In ghinstallation version 1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. The request...
CVE-2022-39304
CVE-2022-39304 concerns ghinstallation, which provides a transport for GitHub Apps authentication. In ghinstallation version 1, if refreshing an installation token failed, the HTTP request and response were returned for debugging, revealing the App’s bearer JWT (short-lived, up to 10 minutes) to ...
GHSA-H4Q8-96P6-JCGR ghinstallation returns app JWT in error responses
Impact In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging. https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transport.goL172-L174 The request contained the beare...