Lucene search

GitHub_PCVE-2023-22380

HistoryFeb 16, 2023 - 9:15 p.m.

CVE-2023-22380

2023-02-1621:15:14

CWE-22

GitHub_P

web.nvd.nist.gov

cve-2023-22380

github

enterprise server

path traversal

vulnerability

arbitrary file reading

github pages

exploit

permission

github bug bounty program

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.4%

JSON

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.6. This vulnerability was reported via the GitHub Bug Bounty program.

Affected configurations

Nvd

Vulners

Node

githubenterprise_serverRange3.7.0–3.7.6

VendorProductVersionCPE
githubenterprise_server*cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	enterprise_server	*	cpe:2.3:a:github:enterprise_server::::::::

CNA Affected

[
  {
    "vendor": "GitHub",
    "product": "GitHub Enterprise Server",
    "versions": [
      {
        "version": "3.7",
        "status": "affected",
        "lessThan": "3.7.6",
        "versionType": "custom"
      }
    ]
  }
]

References

docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.6

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.4%

JSON

Related for CVE-2023-22380