CVE-2022-46258

CVE-2022-46258: Incorrect Authorization in GitHub Enterprise Server leads to Action Workflow modifications without Workflow Scope

Vendor Github

Product GitHub Enterprise Server

Weakness CWE-863 · Incorrect authorization

Published January 9, 2023

Last update April 9, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability affected all versions of GitHub Enterprise Server prior to version 3.7 and was fixed in versions 3.3.16, 3.4.11, 3.5.8, and 3.6.4. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

January 9, 2023 CVE published

April 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-46258

Related vulnerabilities

Identifiers

CVE CVE-2022-46258

CWE CWE-863

Affected versions

Vendor Github

Product GitHub Enterprise Server

Affected ≥ 3.3 and < 3.3.16

Vendor Github

Product GitHub Enterprise Server

Affected ≥ 3.4 and < 3.4.11

Vendor Github

Product GitHub Enterprise Server

Affected ≥ 3.5 and < 3.5.8

Vendor Github

Product GitHub Enterprise Server

Affected ≥ 3.6 and < 3.6.4

CVE-2022-46258: Incorrect Authorization in GitHub Enterprise Server leads to Action Workflow modifications without Workflow Scope

01Description

02Disclosure timeline

03References

04Related CVE