CVE-2021-22868

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.1.8 GitHub Enterprise Server versions prior to 3.0.16 GitHub Enterprise Server versions prior to 2.22.22

Description A path traversal issue was identified that could be exploited when building a GitHub Pages site, allowing an attacker to read files on the GitHub Enterprise Server instance. This is due to insufficient restrictions on user-controlled configuration options used by GitHub Pages. To exploit this, an attacker would need permission to create and build a GitHub Pages site. The issue was reported via the GitHub Bug Bounty program and is related to an incomplete fix for a previous issue.

Recommendations For versions prior to 3.1.8, update to version 3.1.8 or later. For versions prior to 3.0.16, update to version 3.0.16 or later. For versions prior to 2.22.22, update to version 2.22.22 or later.