Vulnerability	Vulnerable Version
M Missing Authorization github-webhook-server is an A webhook server to manage Github repositories and pull requests. Affected versions of this package are vulnerable to Missing Authorization via unsafe loading of OWNERS files from pull-request–controlled repository checkouts. The `OwnersFileHandler.get_all_repository_approvers_and_reviewers()z method, together with` _get_file_content_from_local()`, reads OWNERS files directly from` clone_repo_dir` without isolating the PR head from the protected base branch. As a result, approver and reviewer lists can be sourced from attacker-modified OWNERS files in the pull request, allowing unauthorized users to influence or bypass required review and approval policies. How to fix Missing Authorization? Upgrade `github-webhook-server` to version 4.0.0 or higher.	[,4.0.0)

Missing Authorization

github-webhook-server is an A webhook server to manage Github repositories and pull requests.

Affected versions of this package are vulnerable to Missing Authorization via unsafe loading of OWNERS files from pull-request–controlled repository checkouts. The OwnersFileHandler.get_all_repository_approvers_and_reviewers()z method, together with _get_file_content_from_local(), reads OWNERS files directly from clone_repo_dir` without isolating the PR head from the protected base branch. As a result, approver and reviewer lists can be sourced from attacker-modified OWNERS files in the pull request, allowing unauthorized users to influence or bypass required review and approval policies.

How to fix Missing Authorization?

Upgrade github-webhook-server to version 4.0.0 or higher.

[,4.0.0)

Go back to all versions of this package