CVE-2022-23740

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server version 3.7.0

Description An improper neutralization of argument delimiters in a command vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. To exploit this vulnerability, an attacker would need permission to create and build GitHub Pages using GitHub Actions. This vulnerability was reported via the GitHub Bug Bounty program.

Recommendations For version 3.7.0, update to version 3.7.1 to resolve the issue. As a temporary workaround, consider restricting access to GitHub Actions and GitHub Pages to minimize the risk of exploitation. Avoid using GitHub Actions to build GitHub Pages until the issue is resolved.