CVE-2022-23740

HIGH

Github Enterprise Server - Remote Code Execution

Title source: rule

Description

CRITICAL: An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

References (1)

[Various Sources] https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1

Scores

CVSS v3 8.8

EPSS 0.0292

EPSS Percentile 86.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (1)

github/enterprise_server

Timeline

Published Nov 23, 2022

Tracked Since Feb 18, 2026