Login Sign Up

CVE-2021-22863

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated GitHub Enterprise Server users to modify pull request maintainer permissions without authorization, potentially gaining access to head branches of pull requests in repositories where they are maintainers. It affects all GitHub Enterprise Server instances since version 2.12.22. The vulnerability enables unauthorized modification of pull request collaboration settings.

💻 Affected Systems

Products:
  • GitHub Enterprise Server
Versions: All versions since 2.12.22 up to (but not including) 2.20.24, 2.21.15, 2.22.7, and 3.0.1
Operating Systems: All supported GitHub Enterprise Server platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Forking is disabled by default for organization-owned private repositories, which provides some protection. Branch protections would prevent unauthorized merges.

📦 What is this software?

Github by Github

View all CVEs affecting Github →

Github by Github

View all CVEs affecting Github →

Github by Github

View all CVEs affecting Github →

Github by Github

View all CVEs affecting Github →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain unauthorized write access to protected branches, potentially injecting malicious code into repositories, compromising source code integrity, and enabling supply chain attacks.

🟠

Likely Case

Malicious insiders or compromised accounts could modify pull requests they shouldn't have access to, potentially bypassing code review processes and introducing unauthorized changes.

🟢

If Mitigated

With proper branch protections (required reviews, status checks) and forking disabled on private repositories, unauthorized commits would be prevented from merging without review.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated user access. Exploitation involves GraphQL API manipulation to modify pull request maintainer collaboration permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.24, 2.21.15, 2.22.7, or 3.0.1

Vendor Advisory: https://docs.github.com/en/enterprise-server%402.20/admin/release-notes#2.20.24

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Upgrade to one of the patched versions: 2.20.24, 2.21.15, 2.22.7, or 3.0.1. 3. Follow GitHub's upgrade procedures for your specific version. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Disable forking on private repositories

all

Prevents exploitation by disabling forking on organization-owned private repositories

Organization settings → Member privileges → Repository forking → Disable for private repositories

Enforce branch protections

all

Require pull request reviews and status checks to prevent unauthorized merges

Repository settings → Branches → Add branch protection rule → Require pull request reviews, Require status checks

🧯 If You Can't Patch

  • Implement strict access controls and monitor for unusual GraphQL API activity
  • Enable comprehensive audit logging and review pull request permission changes regularly

🔍 How to Verify

Check if Vulnerable:

Check your GitHub Enterprise Server version via the Management Console or SSH. If version is between 2.12.22 and below the patched versions, you are vulnerable.

Check Version:

ssh admin@your-ghes-instance 'ghes-version' or check Management Console dashboard

Verify Fix Applied:

Verify version is 2.20.24, 2.21.15, 2.22.7, or 3.0.1 or higher. Test GraphQL API permissions for pull request maintainer collaboration.

📡 Detection & Monitoring

Log Indicators:

  • Unusual GraphQL API calls modifying pull request permissions
  • Unexpected changes to pull request maintainer collaboration settings
  • Authentication logs showing users accessing repositories they shouldn't

Network Indicators:

  • Suspicious GraphQL mutation requests to modify pull request permissions

SIEM Query:

source="github_audit_log" AND (event="pull_request.maintainer_collaborator_added" OR event="pull_request.maintainer_collaborator_removed") AND actor NOT IN [authorized_maintainers]

📊 Metadata

CVE ID: CVE-2021-22863
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-285
Published: March 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22863, you might also want to check these:

CVE-2025-65041 10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows un...

Same vulnerability type (CWE-285)
CVE-2021-37705 10.0

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users f...

Same vulnerability type (CWE-285)
CVE-2023-33189 10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Att...

Same vulnerability type (CWE-285)