CVE-2021-22866
📋 TL;DR
This CVE describes a UI misrepresentation vulnerability in GitHub Enterprise Server where users granting authorization to GitHub Apps might unknowingly approve additional permissions not displayed during the approval flow. An attacker could exploit this by creating a malicious GitHub App and tricking users into authorizing it, potentially gaining unintended access. This affects GitHub Enterprise Server instances running vulnerable versions.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains unauthorized access to sensitive user data, repositories, or organizational resources through escalated permissions granted without user awareness.
Likely Case
Users inadvertently grant more permissions than intended to GitHub Apps, potentially exposing private repositories, user data, or organizational settings.
If Mitigated
With proper user awareness and monitoring, unauthorized access attempts can be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires creating a GitHub App and convincing users to authorize it, making social engineering a component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.7 or 2.22.13
Vendor Advisory: https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.13
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to version 3.0.7 (if on 3.0.x) or 2.22.13 (if on 2.22.x). 3. Follow GitHub's upgrade documentation for your deployment method (VMware, Hyper-V, AWS, Azure, etc.). 4. Restart the instance after upgrade.
🔧 Temporary Workarounds
Restrict GitHub App Creation
allLimit who can create GitHub Apps to trusted administrators only.
User Education
allEducate users to carefully review all permissions during GitHub App authorization and avoid authorizing unfamiliar apps.
🧯 If You Can't Patch
- Monitor GitHub App authorizations and audit existing apps for suspicious permissions.
- Implement network segmentation to limit the impact of compromised apps.
🔍 How to Verify
Check if Vulnerable:
Check your GitHub Enterprise Server version via the Management Console or SSH into the instance and run 'ghe-version'.Check Version:
ssh admin@your-ghe-instance 'ghe-version'Verify Fix Applied:
After patching, verify the version is 3.0.7 or higher (for 3.0.x) or 2.22.13 or higher (for 2.22.x) using 'ghe-version'.📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub App authorization events, especially for apps with recently added permissions.
Network Indicators:
- Suspicious API calls from GitHub Apps accessing resources beyond their expected scope.
SIEM Query:
source="github-enterprise" event_type="oauth_authorization" | search app_name="*" | stats count by user, app_name🔗 References
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.13
- https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.7
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.13
- https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.7
