A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_P
Published: 2023-03-02T20:54:34.191Z
Updated: 2024-08-02T10:07:06.540Z
Reserved: 2022-12-20T16:09:19.318Z
Link: CVE-2023-22381
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-03-02T21:15:10.403
Modified: 2024-11-21T07:44:40.223
Link: CVE-2023-22381
Redhat
No data.