← Back

CVE-2022-46258

nvd nist
Published: Jan 9, 2023Modified: Apr 9, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Exploitability: 2.8 / Impact: 3.6
Source: NVD

Description

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to version 3.7 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, and 3.6.4. This vulnerability was reported via the GitHub Bug Bounty program.

Affected (4)

Github
1 product
Enterprise Server
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Github
Enterprise Server
Before 3.3.16
Enterprise Server
From 3.4.0 to 3.4.11
Enterprise Server
From 3.5.0 to 3.5.8
Enterprise Server
From 3.6.0 to 3.6.4

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (8)

Source: product-cna@github.com
Source: product-cna@github.com
Source: product-cna@github.com
Source: product-cna@github.com
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.