CVE-2023-46645 in GitHub
Summary
by MITRE • 12/21/2023
A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/14/2024
This vulnerability represents a critical path traversal flaw in GitHub Enterprise Server that enables unauthorized file reading during GitHub Pages site construction processes. The issue stems from insufficient input validation and sanitization when processing file paths during static site generation, allowing attackers with minimal privileges to access arbitrary files on the server filesystem. The vulnerability specifically manifests during the build process of GitHub Pages sites, where the system fails to properly sanitize user-supplied paths that may contain directory traversal sequences such as ../ or ..\.
The technical implementation of this flaw allows an attacker to manipulate file paths in a way that bypasses normal access controls and directory restrictions. When GitHub Enterprise Server processes user-generated content for Pages site construction, it does not adequately validate or canonicalize file paths, enabling malicious actors to craft requests that traverse the filesystem hierarchy. This vulnerability operates at the application layer and leverages the principle of least privilege by exploiting the minimal permissions required to create and build Pages sites, which are typically granted to repository collaborators or contributors. The flaw aligns with CWE-22 Path Traversal and CWE-23 Improper Limitation of a Pathname to a Restricted Directory, both of which fall under the broader category of path traversal vulnerabilities that have been consistently exploited in web applications.
The operational impact of this vulnerability extends beyond simple information disclosure, as it could potentially expose sensitive configuration files, authentication credentials, or system-level data that may be stored in accessible locations within the server filesystem. Attackers could leverage this vulnerability to extract database connection strings, API keys, or other confidential information that could be used for further compromise of the enterprise environment. The affected versions span multiple release lines from 3.7 through 3.11, indicating a prolonged period during which organizations using GitHub Enterprise Server were potentially exposed to this risk. The vulnerability's exploitation requires only the ability to create and build Pages sites, which is often granted to legitimate users within collaborative environments, making the attack surface more accessible than vulnerabilities requiring administrative privileges.
Security mitigations for this vulnerability involve applying the patched versions released by GitHub, which include fixes for versions 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. Organizations should immediately upgrade their GitHub Enterprise Server installations to the latest patched versions to eliminate the path traversal risk. Additionally, administrators should implement network-level restrictions to limit access to the Pages build functionality where possible, and consider implementing additional monitoring for suspicious file access patterns. The vulnerability's reporting through GitHub's Bug Bounty program demonstrates the importance of coordinated disclosure and community-driven security research in identifying and addressing critical flaws in enterprise software platforms. This incident highlights the necessity of proper input validation and secure coding practices, particularly when handling user-supplied data in file system operations, and aligns with ATT&CK techniques related to privilege escalation and credential access through path traversal vulnerabilities.