CVE-2022-23741 in GitHubinfo

Summary

by MITRE • 12/14/2022

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a scoped user-to-server token to escalate to full admin/owner privileges. An attacker would require an account with admin access to install a malicious GitHub App. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, and 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/30/2026

The vulnerability CVE-2022-23741 represents a critical authorization flaw in GitHub Enterprise Server that demonstrates how scoped token mechanisms can be exploited to achieve privilege escalation. This issue specifically affects the server's handling of user-to-server tokens where the system failed to properly validate the scope and permissions associated with these tokens. The flaw allowed attackers to manipulate authentication flows in a manner that bypassed intended access controls, effectively transforming limited user privileges into full administrative capabilities. The vulnerability is particularly concerning because it operates at the authorization layer of the platform, where proper access control enforcement is fundamental to security architecture.

The technical implementation of this vulnerability stems from inadequate validation of token scopes within GitHub Enterprise Server's authentication system. When a user with administrative privileges installs a malicious GitHub App, the system's permission model fails to properly restrict the token's capabilities, allowing the app to request and receive elevated privileges beyond what was initially intended. This flaw is categorized under CWE-284 which specifically addresses improper access control issues, where the system fails to properly enforce authorization checks. The vulnerability essentially creates a path where a scoped token can be leveraged to escalate privileges through a compromised administrative account, bypassing the normal security boundaries that should prevent such privilege escalation.

From an operational impact perspective, this vulnerability creates significant risk for organizations relying on GitHub Enterprise Server for their code management and collaboration needs. An attacker who gains access to an administrative account can install malicious applications that exploit this flaw to gain full owner privileges across repositories and organization settings. The attack vector requires initial access to an administrative account but once achieved, provides complete control over the enterprise environment. This represents a severe escalation of privileges that could lead to data exfiltration, code manipulation, unauthorized access to sensitive repositories, and potential compromise of entire development infrastructures. The vulnerability affects organizations that depend on GitHub Enterprise's permission model and token-based authentication systems, making it a critical concern for enterprise security teams managing software development workflows.

Organizations should immediately update their GitHub Enterprise Server installations to versions 3.3.17, 3.4.12, 3.5.9, or 3.6.5 to remediate this vulnerability. The fix addresses the underlying authorization logic by strengthening token scope validation and ensuring that user-to-server tokens cannot be used to escalate privileges beyond their intended scope. Security teams should also conduct comprehensive audits of their GitHub Enterprise environments to identify any unauthorized applications that may have been installed prior to the patch deployment. Additionally, organizations should review their administrative account usage and implement additional security controls such as multi-factor authentication and regular access reviews. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation, demonstrating how legitimate administrative access can be exploited to gain elevated privileges through system flaws rather than traditional attack vectors. The remediation process should include monitoring for suspicious application installations and ensuring that administrative privileges are strictly controlled and regularly audited to prevent unauthorized access to the platform's core functionality.

Reservation

01/19/2022

Disclosure

12/14/2022

Moderation

accepted

CPE

ready

EPSS

0.01097

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!