GitHub Upgrade – 3.7.2

Due to the high security fixes in this patch, this patch is scheduled for upgrade as soon as possible.

The GitHub Service Team will apply the upgrade at 5:00 PM EST on Wednesday, December 14th 2022.

The full changelog can be found in the GitHub Enterprise Release Notes.

Security Fixes

  • HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed remote code execution when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the instance. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2022-46256.

Bug Fixes

  • When users performed an operation using the API, GitHub Enterprise Server enforced repository size quotas even when disabled globally.
  • In some cases, searches via the API returned a 500 error.
  • Adding a collaborator to a user-owned fork of a private, organization-owned repository with triage, maintain, or custom access resulted in a 500 error.
  • In some cases, the page for setting up code scanning would erroneously report that GitHub Actions was not configured for the instance.
  • Dismissing a Dependabot alert that contained certain characters could result in a 400 error.
  • After a user’s account was deleted from the instance, image attachments that the user uploaded in comments were no longer visible in the web interface.
  • Fixes a bug in which a GHES log file could get filled very quickly and cause the root drive to run out of free space.
  • When viewing code scanning results for Ruby, an erroneous beta label appeared.


  • After an enterprise owner enables Dependabot alerts, GitHub Enterprise Server enqueues the synchronization of advisory data to ensure hourly updates from
  • A user’s list of recently accessed repositories no longer includes deleted repositories.