Unsafe configuration options in GitHub Pages leading to remote code execution on GitHub Enterprise Server

A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in 2.21.6, 2.20.15, and 2.19.21. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program.

N/A

在命令中使用的特殊元素转义处理不恰当(命令注入)

GitHub Enterprise Server 注入漏洞

GitHub是一套面向开源及私有软件项目的托管平台。Git是一套免费、开源的分布式版本控制系统。 GitHub Enterprise Server存在安全漏洞，该漏洞源于GitHub页面使用的底层解析器的用户控制配置没有足够的访问控制权限，因此可以在GitHub企业服务器实例上执行命令。具体受影响的环境如下：GitHub Enterprise Server 2.22之前版本，其中2.21.6，2.20.15和2.19.21已修复。

N/A

N/A