Vulnerability has not been assigned a severity rating yet [242 words].
What: A deserialization of untrusted data vulnerability (CVE-2022-23734 )exists in multiple GitHub Enterprise Server versions that could potentially let a remote attacker execute arbitrary code on the SVNBridge open-source extension for Microsoft Azure DevOps Server. To exploit the flaw, an attacker would need to have access via a server-side-request-forgery and have control of the data being deserialized, according to NIST.
- The vulnerability affects all versions of GitHub Enterprise Server from GitHub prior to v3.6.
- It has been addressed in the following versions: 3.5.3, 3.4.6, 3.3.11, and 3.2.16.
What is a Deserialization of untrusted data vulnerability (CWE-502)? OWASP describes the vulnerability that gives attackers a way to use malformed or unexpected data to abuse application logic, trigger denial of service, or to execute arbitrary code, when deserialized. Or as, application security vendor Snyk puts it, “deserialization of untrusted data is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.
Some relatively examples of previous critical vulnerabilities in this class include CVE-2022-23307 inApache Chainsaw; CVE-2022-23450 in Siemens’ SIMATIC Energy Manager Basic and SIMATIC Energy Manager PRO; and CVE-2021-36567 in certain versions of ThinkPHP.
Details
NIST NVD vulnerability details (still awaiting analysis)
CWE-502: Deserialization of Untrusted Data