CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
55.0%
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to version 3.7 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, and 3.6.4. This vulnerability was reported via the GitHub Bug Bounty program.
Vendor | Product | Version | CPE |
---|---|---|---|
github | enterprise_server | * | cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:* |
[
{
"vendor": "GitHub",
"product": "GitHub Enterprise Server",
"versions": [
{
"version": "3.3",
"status": "affected",
"lessThan": "3.3.16",
"versionType": "custom"
},
{
"version": "3.4",
"status": "affected",
"lessThan": "3.4.11",
"versionType": "custom"
},
{
"version": "3.5",
"status": "affected",
"lessThan": "3.5.8",
"versionType": "custom"
},
{
"version": "3.6",
"status": "affected",
"lessThan": "3.6.4",
"versionType": "custom"
}
]
}
]