How severe is CVE-2021-22863?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2021-22863?

This is classified as CWE-285, which is a common weakness in software security.

CVE-2021-22863 - HIGH Severity | CVSS 8.1

Vulnerability Description

An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability affected all versions of GitHub Enterprise Server since 2.12.22 and was fixed in versions 2.20.24, 2.21.15, 2.22.7 and 3.0.1. This vulnerability was reported via the GitHub Bug Bounty program.

Related Vulnerabilities

CVE-2016-10859

HIGH

CVSS:8.1(High)

cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).

CWE-2852016

CVE-2016-7143

HIGH

CVSS:8.1(High)

The m_authenticate function in modules/m_sasl.c in Charybdis before 3.5.3 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE p...

CWE-2852016

CVE-2018-1082

HIGH

CVSS:8.1(High)

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

CWE-2852018

CVE-2018-10861

HIGH

CVSS:8.1(High)

A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches mast...

CWE-2852018

CVE-2018-14637

HIGH

CVSS:8.1(High)

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

CWE-2852018

CVE-2018-15465

HIGH

CVSS:8.1(High)

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privilege...

CWE-2852018