GitHub Upgrade – 2.22.7

The 2.22.7 patch is a high level security patch, which also fixes a handful of bugs. 

Security Fixes

  • HIGH: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization owned private repositories. Branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability has been assigned CVE-2021-22861.
  • HIGH: An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would be able to gain access to head branches of pull requests opened on repositories of which they are a maintainer. Forking is disabled by default for organization owned private repositories and would prevent this vulnerability. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. This vulnerability has been assigned CVE-2021-22863.
  • HIGH: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability has been assigned CVE-2020-10519.
  • MEDIUM: GitHub Tokens from GitHub Pages builds could end up in logs.
  • LOW: A specially crafted request to the SVN bridge could trigger a long wait before failure resulting in Denial of Service (DoS).
  • Packages have been updated to the latest security versions.

Bug Fixes

  • When editing a wiki page a user could experience a 500 error when clicking the Save button.
  • An S/MIME signed commit using a certificate with multiple names in the subject alternative name would incorrectly show as “Unverified” in the commit badge.
  • Suspended user was sent emails when added to a team.
  • User saw 500 error when executing git operations on an instance configured with LDAP authentication.
  • When a GitHub Pages build failed, the email notification contained an incorrect link for support location.
  • During a leap year, the user was getting a 404 response when trying to view Contribution activity on a Monday.

Due to the high severity security fixes, this patch will be applied off the usual schedule.

The update will be applied Thursday March 4th , 2021 at 5:00PM.

See the complete upgrade notes at GitHub Enterprise: https://enterprise.github.com/releases/2.22.7/notes