CVE-2022-23740

HIGH

GitHub Enterprise Server 3.7.0 - Remote Code Execution via GitHub Pages Build

Title source: llm

Description

CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

References (1)

Core 1

Core References

Various Sources

https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1

Scores

CVSS v3 8.8

EPSS 0.0111

EPSS Percentile 61.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-88

Status published

Products (1)

github/enterprise_server 3.7.0

Published Nov 23, 2022

Tracked Since Feb 18, 2026