CVE-2022-46258: 
GitHub Enterprise Server vulnerability analysis and mitigation

CVE-2022-46258 is an incorrect authorization vulnerability discovered in GitHub Enterprise Server that allowed repository-scoped tokens with read/write access to modify workflows without proper permissions. The vulnerability was discovered by Cycode Labs and disclosed to GitHub through their bug bounty program on March 10, 2022, though it was initially marked as informational before being acknowledged as a security issue (Cycode Blog).

The vulnerability relates to how GitHub handles permissions for modifying files in repositories through its API. Specifically, it allowed the creation of new workflows in repositories using workflow tokens without the required 'workflow' scope permissions by exploiting the Contents API. The vulnerability has a CVSS rating of 6.5 and is classified as CWE-863 (Incorrect Authorization) (Cycode Blog).

The vulnerability could allow any workflow to create additional workflows and effectively escalate its privileges, including gaining access to all encrypted secrets stored in GitHub Actions that are normally only accessible to privileged workflows. This could potentially lead to severe supply-chain attacks through exposure of sensitive information like cloud tokens and artifactory tokens (Cycode Blog).

For GitHub Cloud users, no action is required as the vulnerability has been automatically patched. GitHub Enterprise Server users must update to non-vulnerable versions: 3.3.16, 3.4.11, 3.5.8, or 3.6.4. The vulnerability affects GitHub Enterprise Server versions before 3.7 (Cycode Blog).

GitHub initially marked the vulnerability report as informational on March 14, 2022, but later acknowledged it as a valid security issue on January 26, 2023. The company awarded a $4,000 bounty to the researchers who discovered the vulnerability (Cycode Blog).