First published: Thu Mar 02 2023(Updated: )
A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program.
Credit: product-cna@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
GitHub Enterprise Server | <3.4.15 | |
GitHub Enterprise Server | >=3.5.0<3.5.12 | |
GitHub Enterprise Server | >=3.6.0<3.6.8 | |
GitHub Enterprise Server | >=3.7.0<3.7.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-22381 is high with a severity value of 8.8.
The affected software for CVE-2023-22381 is GitHub Enterprise Server versions up to 3.4.15, versions 3.5.0 to 3.5.12, versions 3.6.0 to 3.6.8, and versions 3.7.0 to 3.7.5.
CVE-2023-22381 affects GitHub Enterprise Server by allowing code injection and the setting of arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner.
To exploit CVE-2023-22381, an attacker would need existing permission to execute code in a GitHub Actions workflow and the ability to modify the value of an environment variable.
To fix CVE-2023-22381, it is recommended to update to GitHub Enterprise Server versions 3.4.15, 3.5.12, 3.6.8, or 3.7.5, depending on the affected version.