CVE-2022-46256

moderate-risk

Published 2022-12-14

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5 and 3.7.2. This vulnerability was reported via the GitHub Bug Bounty program.

Do I need to act?

~

6.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

8

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Enterprise Server

Affected Vendors

Github

References (10)

https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17

https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12

https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9

https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5

https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.2

https://docs.github.com/en/enterprise-server%403.3/admin/release-notes#3.3.17

https://docs.github.com/en/enterprise-server%403.4/admin/release-notes#3.4.12

https://docs.github.com/en/enterprise-server%403.5/admin/release-notes#3.5.9

https://docs.github.com/en/enterprise-server%403.6/admin/release-notes#3.6.5

https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.2

44

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 9/34 · Low

Exposure 5/34 · Minimal