CVE-2022-46255 in GitHub
Summary
by MITRE • 12/14/2022
An improper limitation of a pathname to a restricted directory vulnerability was identified in GitHub Enterprise Server that enabled remote code execution. A check was added within Pages to ensure the working directory is clean before unpacking new content to prevent an arbitrary file overwrite bug. This vulnerability affected only version 3.7.0 of GitHub Enterprise Server and was fixed in version 3.7.1. This vulnerability was reported via the GitHub Bug Bounty program.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/12/2023
The vulnerability CVE-2022-46255 represents a critical improper limitation of a pathname to a restricted directory issue within GitHub Enterprise Server version 3.7.0. This flaw specifically impacted the Pages functionality of the platform, creating a pathway for remote code execution through arbitrary file overwrite operations. The vulnerability emerged from inadequate validation of working directory paths during content unpacking processes, allowing attackers to manipulate file paths beyond the intended restricted directories. The issue was particularly concerning as it enabled malicious actors to execute arbitrary code on the server by exploiting the insufficient path validation mechanisms in place. This weakness directly violates security principles of least privilege and proper input sanitization, creating a significant attack surface for remote exploitation.
The technical implementation of this vulnerability stems from a failure in the Pages component's handling of file paths during content deployment operations. When new content was being unpacked, the system did not properly validate or sanitize the working directory paths, allowing attackers to craft malicious inputs that could traverse directory structures beyond the intended boundaries. This path traversal vulnerability enabled an attacker to overwrite files in restricted directories, potentially leading to complete system compromise. The flaw was classified under CWE-22, which describes improper limitation of a pathname to a restricted directory, a well-known category of vulnerabilities that frequently results in arbitrary file operations. The vulnerability's exploitation required the attacker to have access to the Pages functionality, which was typically available to authenticated users with appropriate permissions, though the exact privilege requirements were not specified in the initial report.
The operational impact of this vulnerability was severe, as it allowed remote code execution capabilities that could be leveraged to gain complete control over affected GitHub Enterprise Server instances. Attackers could potentially overwrite critical system files, inject malicious code into the Pages deployment process, or establish persistence mechanisms within the server environment. The vulnerability's presence in version 3.7.0 meant that organizations running this specific release were exposed to potential compromise, with the risk extending to all repositories hosted through the affected Pages functionality. The exploitability of this vulnerability was further enhanced by the fact that it was reported through GitHub's Bug Bounty program, indicating that security researchers had already identified and validated the attack vectors. Organizations using GitHub Enterprise Server needed to urgently assess their deployment configurations and implement immediate mitigations, as the vulnerability could be exploited without requiring special privileges beyond normal user access.
The remediation for CVE-2022-46255 was addressed through the release of GitHub Enterprise Server version 3.7.1, which incorporated proper path validation and sanitization mechanisms within the Pages component. The fix specifically targeted the working directory validation process, ensuring that all paths used during content unpacking operations were properly checked against the intended restricted directories. This update implemented stricter controls over file path operations, preventing directory traversal attacks and arbitrary file overwrite scenarios. Organizations were advised to immediately upgrade to version 3.7.1 or later to mitigate the risk, as the vulnerability was actively exploited in the wild. The fix aligns with ATT&CK technique T1059.007 for command and scripting interpreter, as the vulnerability could enable attackers to execute arbitrary commands through the compromised Pages functionality. Security practitioners should also implement monitoring for suspicious file operations and directory traversal attempts as additional defensive measures, particularly focusing on the Pages deployment processes and file system operations within GitHub Enterprise Server environments.