CVE-2021-22864
📋 TL;DR
This CVE describes a remote code execution vulnerability in GitHub Enterprise Server where attackers with permission to create GitHub Pages sites could manipulate configuration options to override environment variables and execute arbitrary code on the server instance. All GitHub Enterprise Server versions prior to 3.0.3 are affected. The vulnerability requires authenticated access to create and build GitHub Pages sites.
💻 Affected Systems
- GitHub Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the GitHub Enterprise Server instance, allowing attackers to execute arbitrary code with server privileges, potentially leading to data theft, system takeover, or lateral movement within the network.
Likely Case
Privileged attackers with GitHub Pages creation permissions could execute arbitrary commands on the server, potentially accessing sensitive repository data, user information, or using the server as a foothold for further attacks.
If Mitigated
With proper access controls limiting who can create GitHub Pages sites, the attack surface is significantly reduced, though any authorized user with this permission could still exploit the vulnerability.
🎯 Exploit Status
Exploitation requires authenticated access with GitHub Pages creation permissions. The vulnerability was discovered through GitHub's bug bounty program.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.3, 2.22.9, or 2.21.17
Vendor Advisory: https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.3
Restart Required: Yes
Instructions:
1. Backup your GitHub Enterprise Server instance. 2. Upgrade to version 3.0.3, 2.22.9, or 2.21.17 depending on your current version. 3. Follow GitHub's upgrade documentation for your specific version. 4. Restart the server after upgrade completion.
🔧 Temporary Workarounds
Disable GitHub Pages
linuxTemporarily disable GitHub Pages feature to prevent exploitation while planning upgrade
ghe-config pages.enabled false
ghe-config-apply
Restrict GitHub Pages Permissions
allLimit which users/organizations can create GitHub Pages sites to reduce attack surface
🧯 If You Can't Patch
- Immediately restrict GitHub Pages creation permissions to only essential, trusted users
- Implement network segmentation to isolate GitHub Enterprise Server from critical systems
🔍 How to Verify
Check if Vulnerable:
Check current GitHub Enterprise Server version via management console or SSH: ghe-versionCheck Version:
ghe-versionVerify Fix Applied:
Verify version is 3.0.3, 2.22.9, or 2.21.17 or higher: ghe-version📡 Detection & Monitoring
Log Indicators:
- Unusual GitHub Pages build processes
- Suspicious configuration changes in GitHub Pages settings
- Unexpected process execution during GitHub Pages builds
Network Indicators:
- Unusual outbound connections from GitHub Enterprise Server during GitHub Pages builds
SIEM Query:
source="github-enterprise" AND (event="pages_build" OR event="pages_config") AND status="success" | search suspicious_patterns🔗 References
- https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.17
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.9
- https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.3
- https://docs.github.com/en/enterprise-server%402.21/admin/release-notes#2.21.17
- https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.9
- https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.3
