Lucene search

GitHub_PCVE-2022-46255

HistoryDec 14, 2022 - 6:15 p.m.

CVE-2022-46255

2022-12-1418:15:23

CWE-22

GitHub_P

web.nvd.nist.gov

github

enterprise server

vulnerability

remote code execution

nvd

cve-2022-46255

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.004

Percentile

74.9%

JSON

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

Affected configurations

Nvd

Vulners

Node

githubenterprise_serverMatch3.7.0

VendorProductVersionCPE
githubenterprise_server3.7.0cpe:2.3:a:github:enterprise_server:3.7.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	enterprise_server	3.7.0	cpe:2.3:a:github:enterprise_server:3.7.0:::::::*

CNA Affected

[
  {
    "vendor": "GitHub",
    "product": "GitHub Enterprise Server",
    "versions": [
      {
        "version": "3.7",
        "status": "affected",
        "lessThan": "3.7.1",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.004

Percentile

74.9%

JSON

Related for CVE-2022-46255