Lucene search

[email protected]NVD:CVE-2022-46255

HistoryDec 14, 2022 - 6:15 p.m.

CVE-2022-46255

2022-12-1418:15:23

CWE-22

[email protected]

web.nvd.nist.gov

github

remote code execution

vulnerability

directory pathname

bug bounty program

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.9%

JSON

An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.

Affected configurations

Nvd

Node

githubenterprise_serverMatch3.7.0

VendorProductVersionCPE
githubenterprise_server3.7.0cpe:2.3:a:github:enterprise_server:3.7.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
github	enterprise_server	3.7.0	cpe:2.3:a:github:enterprise_server:3.7.0:::::::*

References

docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.1

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.9%

JSON

Related for NVD:CVE-2022-46255

cvelist1 cve1 prion1