Updating verbiage to be in sync with CVE notes (#18550)

* Updating verbiage to be in sync with CVE notes

* accidentally dropped off CVE note

* Updated CVE ID to be correct

Co-authored-by: jmarlena <6732600+jmarlena@users.noreply.github.com>

Author: forced-request

data/release-notes/2-21/18.yml

@@ -1,7 +1,7 @@
 date: '2021-04-01'
 sections:
   security_fixes:
-    - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated via a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata without requiring appropriate permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in 3.0.4, 2.22.10, and 2.21.18. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22865."
+    - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the [GitHub Bug Bounty Program](https://bounty.github.com)."
     - Packages have been updated to the latest security versions.
   bugs:
     - Services were not transitioning to new log files as part of log rotation, resulting in increased disk usage.

data/release-notes/2-22/10.yml

@@ -1,7 +1,7 @@
 date: '2021-04-01'
 sections:
   security_fixes:
-    - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated via a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata without requiring appropriate permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in 3.0.4, 2.22.10, and 2.21.18. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22865."
+    - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the [GitHub Bug Bounty Program](https://bounty.github.com)."
     - Packages have been updated to the latest security versions.
   bugs:
     - A timezone set on GitHub Enterprise 11.10.x or earlier was not being used by some services which were defaulting to UTC time.

data/release-notes/3-0/4.yml

@@ -2,7 +2,7 @@ date: '2021-04-01'
 intro: The minimum infrastructure requirements have increased for {% data variables.product.prodname_ghe_server %} 3.0+. For more information, see "[About minimum requirements for GitHub Enterprise Server 3.0 and later](/admin/enterprise-management/upgrading-github-enterprise-server#about-minimum-requirements-for-github-enterprise-server-30-and-later)."
 sections:
   security_fixes:
-    - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated via a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata without requiring appropriate permissions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in 3.0.4, 2.22.10, and 2.21.18. This vulnerability was reported via the GitHub Bug Bounty program and has been assigned CVE-2021-22865."
+    - "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the [GitHub Bug Bounty Program](https://bounty.github.com)."
     - Packages have been updated to the latest security versions.
   bugs:
     - When maintenance mode was enabled, some services continued to be listed as "active processes" even though they were expected to be running, and should not have been listed.