CVE-2022-23739

CVSS V2 None CVSS V3 None
Description
An incorrect authorization vulnerability was identified in GitHub Enterprise Server, allowing for escalation of privileges in GraphQL API requests from GitHub Apps. This vulnerability allowed an app installed on an organization to gain access to and modify most organization-level resources that are not tied to a repository regardless of granted permissions, such as users and organization-wide projects. Resources associated with repositories were not impacted, such as repository file content, repository-specific projects, issues, or pull requests. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7.1 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, 3.6.4, 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.
Overview
  • CVE ID
  • CVE-2022-23739
  • Assigner
  • product-cna@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-01-17T19:15:11
  • Last Modified Date
  • 2023-01-25T03:09:40
Weakness Enumerations
CWE URL
CWE-863 http://cwe.mitre.org/data/definitions/863.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* 1 OR 3.3.16
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* 1 OR 3.4.0 3.4.11
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* 1 OR 3.5.0 3.5.8
cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* 1 OR 3.6.0 3.6.4
cpe:2.3:a:github:enterprise_server:3.7.0:*:*:*:*:*:*:* 1 OR
References
Reference URL Reference Tags
https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.16
https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.11
https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.8
https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.4
https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.1
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-23739
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23739
History
Created Old Value New Value Data Type Notes
2023-01-17 19:15:29 Added to TrackCVE
2023-01-17 19:15:30 Weakness Enumeration new
2023-01-17 23:14:24 2023-01-17T23:01:04 CVE Modified Date updated
2023-01-17 23:14:24 Received Awaiting Analysis Vulnerability Status updated
2023-01-23 19:14:07 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-01-23 21:13:19 Undergoing Analysis Awaiting Analysis Vulnerability Status updated
2023-01-24 11:14:20 Awaiting Analysis Undergoing Analysis Vulnerability Status updated
2023-01-25 03:16:15 2023-01-25T03:09:40 CVE Modified Date updated
2023-01-25 03:16:15 Undergoing Analysis Analyzed Vulnerability Status updated
2023-01-25 03:16:16 CPE Information updated