Login Sign Up

CVE-2021-41598

8.8 HIGH
Authentication Bypass

📋 TL;DR

This CVE describes a UI misrepresentation vulnerability in GitHub Enterprise Server where GitHub Apps could gain additional user-level permissions without displaying them to users during repository updates. An attacker could exploit this by creating a malicious GitHub App and tricking users into authorizing it, then later adding permissions without user consent. All GitHub Enterprise Server instances prior to version 3.3 are affected.

💻 Affected Systems

Products:
  • GitHub Enterprise Server
Versions: All versions prior to 3.3
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all GitHub Enterprise Server deployments regardless of configuration. The vulnerability is in the core GitHub App authorization flow.

📦 What is this software?

Enterprise Server by Github

View all CVEs affecting Enterprise Server →

Enterprise Server by Github

View all CVEs affecting Enterprise Server →

Enterprise Server by Github

View all CVEs affecting Enterprise Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive repositories, source code, and user data through escalated GitHub App permissions, potentially leading to data theft, code manipulation, or supply chain attacks.

🟠

Likely Case

Malicious actors create GitHub Apps that appear legitimate but gain additional permissions over time, accessing private repositories and user data without proper authorization.

🟢

If Mitigated

With proper user awareness and monitoring, unauthorized permission escalations are detected and revoked before significant damage occurs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires creating a GitHub App and convincing users to authorize it, then modifying the app's permissions. This is a multi-step attack but could be automated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.5, 3.1.13, 3.0.21, or upgrade to 3.3+

Vendor Advisory: https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.21

Restart Required: Yes

Instructions:

1. Backup your GitHub Enterprise Server instance. 2. Upgrade to version 3.2.5, 3.1.13, 3.0.21, or any version 3.3+. 3. Follow GitHub's upgrade documentation for your specific version. 4. Restart the instance after upgrade.

🔧 Temporary Workarounds

Restrict GitHub App Creation

all

Limit GitHub App creation to trusted administrators only to prevent malicious app registration.

Monitor GitHub App Permissions

all

Regularly audit GitHub App permissions and review all authorized applications.

🧯 If You Can't Patch

  • Implement strict policies requiring user approval for all GitHub App permission changes
  • Monitor and audit all GitHub App installations and permission changes in real-time

🔍 How to Verify

Check if Vulnerable:

Check your GitHub Enterprise Server version via the management console or SSH into the instance and run 'ghe-version'

Check Version:

ssh admin@your-ghe-instance 'ghe-version'

Verify Fix Applied:

Verify the version is 3.2.5, 3.1.13, 3.0.21, or any version 3.3+ using 'ghe-version' command

📡 Detection & Monitoring

Log Indicators:

  • Unexpected GitHub App permission changes
  • Multiple authorization requests for the same GitHub App
  • GitHub App installations with unusual permission patterns

Network Indicators:

  • Increased API calls from GitHub Apps
  • Unusual data access patterns from GitHub Apps

SIEM Query:

source="github-enterprise" AND (event="app_authorization" OR event="permission_change") AND status="success" | stats count by app_name, user

📊 Metadata

CVE ID: CVE-2021-41598
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-451
Published: January 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41598, you might also want to check these:

CVE-2025-8043 9.8

This vulnerability involves incorrect URL truncation in Firefox and Thunderbird, which could allow a...

Same vulnerability type (CWE-451)
CVE-2026-2634 9.8

This vulnerability in Firefox for iOS allows malicious scripts to desynchronize the address bar from...

Same vulnerability type (CWE-451)
CVE-2026-0906 9.8

This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, pote...

Same vulnerability type (CWE-451)