CVE-2023-22381 MEDIUM

CVE-2023-22381: Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions

Vendor Github

Product Enterprise Server

Weakness CWE-94 · Code injection

Published March 2, 2023

Last update March 5, 2025

View on NVD All CVEs

CVSS base score

4.1/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A code injection vulnerability was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 and was fixed in versions 3.4.15, 3.5.12, 3.6.8, 3.7.5. This vulnerability was reported via the GitHub Bug Bounty program.

Key dates

02Disclosure timeline

March 2, 2023 CVE published

March 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22381 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/94.html

Related vulnerabilities

Identifiers

CVE CVE-2023-22381

CWE CWE-94

CVSS 4.1 / MEDIUM

Affected versions

Vendor Github

Product Enterprise Server

Affected ≥ 3.4.0 and ≤ 3.4.14

Vendor Github

Product Enterprise Server

Affected ≥ 3.5.0 and ≤ 3.5.11

Vendor Github

Product Enterprise Server

Affected ≥ 3.6.0 and ≤ 3.6.7

Vendor Github

Product Enterprise Server

Affected ≥ 3.7.0 and ≤ 3.7.4

CVE-2023-22381: Code injection in GitHub Enterprise Server leading to arbitrary environment variables in GitHub Actions

01Description

02Disclosure timeline

03References

04Related CVE