github - ghsa-vwqq-p7w6-hwg3

ghsa-vwqq-p7w6-hwg3

Vulnerability from github

Published

2023-02-16 21:30

Modified

2023-02-27 15:30

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.6. This vulnerability was reported via the GitHub Bug Bounty program.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-22380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.6. This vulnerability was reported via the GitHub Bug Bounty program.",
  "id": "GHSA-vwqq-p7w6-hwg3",
  "modified": "2023-02-27T15:30:19Z",
  "published": "2023-02-16T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22380"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.7/admin/release-notes#3.7.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2023-22380

Vulnerability from cvelistv5

Published

2023-02-16 00:00

Modified

2024-08-02 10:07

Severity ?

Summary

Path traversal in GitHub Enterprise Server leading to arbitrary file reading when building a GitHub Pages site

References

▼	URL	Tags
	https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.6

Impacted products

▼	Vendor	Product
	GitHub	GitHub Enterprise Server

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:07:06.637Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GitHub Enterprise Server",
          "vendor": "GitHub",
          "versions": [
            {
              "lessThan": "3.7.6",
              "status": "affected",
              "version": "3.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "yvvdwf"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.6. This vulnerability was reported via the GitHub Bug Bounty program."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-16T00:00:00",
        "orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
        "shortName": "GitHub_P"
      },
      "references": [
        {
          "url": "https://docs.github.com/en/enterprise-server%403.7/admin/release-notes#3.7.6"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Path traversal in GitHub Enterprise Server leading to arbitrary file reading when building a GitHub Pages site"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
    "assignerShortName": "GitHub_P",
    "cveId": "CVE-2023-22380",
    "datePublished": "2023-02-16T00:00:00",
    "dateReserved": "2022-12-20T00:00:00",
    "dateUpdated": "2024-08-02T10:07:06.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted