CVE-2021-22862 (GCVE-0-2021-22862)

Vulnerability from cvelistv5 – Published: 2021-03-03 03:25 – Updated: 2024-08-03 18:51
VLAI?
Title
Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks
Summary
An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
GitHub GitHub Enterprise Server Affected: 3.0 , < 3.0.1 (custom)
Create a notification for this product.
Credits
Teddy Katz
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:51:07.479Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitHub Enterprise Server",
          "vendor": "GitHub",
          "versions": [
            {
              "lessThan": "3.0.1",
              "status": "affected",
              "version": "3.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Teddy Katz"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-03T03:25:22",
        "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "shortName": "GitHub_P"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "product-cna@github.com",
          "ID": "CVE-2021-22862",
          "STATE": "PUBLIC",
          "TITLE": "Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GitHub Enterprise Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "3.0",
                            "version_value": "3.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "GitHub"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Teddy Katz"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285: Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1",
              "refsource": "MISC",
              "url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.1"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
    "assignerShortName": "GitHub_P",
    "cveId": "CVE-2021-22862",
    "datePublished": "2021-03-03T03:25:22",
    "dateReserved": "2021-01-06T00:00:00",
    "dateUpdated": "2024-08-03T18:51:07.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:github:github:3.0.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"61ABB5BF-C578-403B-8EF9-A28274F486FF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:github:github:3.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"634A0A6C-0F17-4DE2-B2D1-C3B0C5C8EDD6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:github:github:3.0.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"0FA74C51-5AB4-4B23-B24B-5629736B17E1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program.\"}, {\"lang\": \"es\", \"value\": \"Se identific\\u00f3 una vulnerabilidad de control de acceso inadecuada en GitHub Enterprise Server que permit\\u00eda a un usuario autenticado con la capacidad de bifurcar un repositorio revelar los secretos de las acciones para el repositorio padre de la bifurcaci\\u00f3n. Esta vulnerabilidad exist\\u00eda debido a un fallo que permit\\u00eda actualizar la referencia base de un pull request para que apuntara a un SHA arbitrario o a otro pull request fuera del repositorio fork. Al establecer esta referencia incorrecta en un PR, las restricciones que limitan las Acciones secretas enviadas a un flujo de trabajo desde los forks pod\\u00edan ser eludidas. Esta vulnerabilidad afectaba a las versiones 3.0.0, 3.0.0.rc2 y 3.0.0.rc1 de GitHub Enterprise Server. Esta vulnerabilidad fue reportada a trav\\u00e9s del programa GitHub Bug Bounty\"}]",
      "id": "CVE-2021-22862",
      "lastModified": "2024-11-21T05:50:47.250",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-03-03T04:15:13.163",
      "references": "[{\"url\": \"https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1\", \"source\": \"product-cna@github.com\"}, {\"url\": \"https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "product-cna@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"product-cna@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-285\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-22862\",\"sourceIdentifier\":\"product-cna@github.com\",\"published\":\"2021-03-03T04:15:13.163\",\"lastModified\":\"2024-11-21T05:50:47.250\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. This vulnerability affected GitHub Enterprise Server version 3.0.0, 3.0.0.rc2, and 3.0.0.rc1. This vulnerability was reported via the GitHub Bug Bounty program.\"},{\"lang\":\"es\",\"value\":\"Se identific\u00f3 una vulnerabilidad de control de acceso inadecuada en GitHub Enterprise Server que permit\u00eda a un usuario autenticado con la capacidad de bifurcar un repositorio revelar los secretos de las acciones para el repositorio padre de la bifurcaci\u00f3n. Esta vulnerabilidad exist\u00eda debido a un fallo que permit\u00eda actualizar la referencia base de un pull request para que apuntara a un SHA arbitrario o a otro pull request fuera del repositorio fork. Al establecer esta referencia incorrecta en un PR, las restricciones que limitan las Acciones secretas enviadas a un flujo de trabajo desde los forks pod\u00edan ser eludidas. Esta vulnerabilidad afectaba a las versiones 3.0.0, 3.0.0.rc2 y 3.0.0.rc1 de GitHub Enterprise Server. Esta vulnerabilidad fue reportada a trav\u00e9s del programa GitHub Bug Bounty\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"product-cna@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:github:3.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"61ABB5BF-C578-403B-8EF9-A28274F486FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:github:3.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"634A0A6C-0F17-4DE2-B2D1-C3B0C5C8EDD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:github:github:3.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FA74C51-5AB4-4B23-B24B-5629736B17E1\"}]}]}],\"references\":[{\"url\":\"https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1\",\"source\":\"product-cna@github.com\"},{\"url\":\"https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.