CVE-2022-23734

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.6 GitHub Enterprise Server version 3.5.3 GitHub Enterprise Server version 3.4.6 GitHub Enterprise Server version 3.3.11 GitHub Enterprise Server version 3.2.16

Description A deserialization of untrusted data issue was identified that could potentially lead to remote code execution on the SVNBridge. To exploit this, an attacker would need to gain access via a server-side request forgery (SSRF) that would let an attacker control the data being deserialized. This issue was reported via the GitHub Bug Bounty program.

Recommendations For versions prior to 3.6, update to version 3.6 or later to resolve the issue. For version 3.5.3, no additional action is required as this version contains a fix. For version 3.4.6, no additional action is required as this version contains a fix. For version 3.3.11, no additional action is required as this version contains a fix. For version 3.2.16, no additional action is required as this version contains a fix. As a temporary workaround, consider restricting access to the SVNBridge to minimize the risk of exploitation.