CVE-2023-22381: 
GitHub Enterprise Server vulnerability analysis and mitigation

A code injection vulnerability (CVE-2023-22381) was identified in GitHub Enterprise Server that allowed setting arbitrary environment variables from a single environment variable value in GitHub Actions when using a Windows based runner. The vulnerability was discovered and disclosed in February 2023. To exploit this vulnerability, an attacker would need existing permission to control the value of environment variables for use with GitHub Actions. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.8.0 (NVD).

The vulnerability is classified as a code injection vulnerability (CWE-94) that allowed attackers to set arbitrary environment variables through improper sanitization of null bytes when using a Windows-based runner in GitHub Actions. The vulnerability was fixed in GitHub Enterprise Server versions 3.4.15, 3.5.12, 3.6.8, and 3.7.5 (GitHub Release Notes).

The vulnerability could allow an attacker with existing permissions to control environment variables in GitHub Actions to inject arbitrary environment variables on Windows-based runners, potentially leading to code execution within the GitHub Actions environment (NVD).

The vulnerability was patched in GitHub Enterprise Server versions 3.4.15, 3.5.12, 3.6.8, and 3.7.5. Organizations running affected versions should upgrade to the patched versions to mitigate this vulnerability (GitHub Release Notes).