How severe is CVE-2021-22869?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2021-22869?

This is classified as CWE-668, which is a common weakness in software security.

CVE-2021-22869 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.

Related Vulnerabilities

CVE-2008-7291

CRITICAL

CVSS:9.8(Critical)

gri before 2.12.18 generates temporary files in an insecure way.

CWE-6682008

CVE-2017-18129

CRITICAL

CVSS:9.8(Critical)

In Android before security patch level 2018-04-05 on Qualcomm Snapdragon Automobile and Snapdragon Mobile MDM9206, MDM9607, SD 845, MSM8996, MSM8998, it is possible for IPA (internet protocol accelera...

CWE-6682017

CVE-2018-18068

CRITICAL

CVSS:9.8(Critical)

The ARM-based hardware debugging feature on Raspberry Pi 3 module B+ and possibly other devices allows non-secure EL1 code to read/write any EL3 (the highest privilege level in ARMv8) memory/register ...

CWE-6682018

CVE-2018-7072

CRITICAL

CVSS:9.8(Critical)

A remote bypass of security restrictions vulnerability was identified in HPE Moonshot Provisioning Manager prior to v1.24.

CWE-6682018

CVE-2018-7846

CRITICAL

CVSS:9.8(Critical)

A CWE-501: Trust Boundary Violation vulnerability on connection to the Controller exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum and Modicon Premium which could cause unauth...

CWE-6682018

CVE-2019-10781

CRITICAL

CVSS:9.8(Critical)

In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector.

CWE-6682019