CVE-2022-23740

23.11.2022, 18:15

CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

Argument Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_P	CNA	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 86%

Affected Products (NVD)

Vendor	Product	Version
github	enterprise_server	3.7.0

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
github	github	3.7 ≤ 𝑥 < 3.7.1	CNA

Common Weakness Enumeration

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1