Upgrades

GitHub Upgrade – 3.10.4

By Chris Deaton

On Thursday, January 4, 2024 at 5PM EST, the GitHub Service team will apply an emergency upgrade to include several critical security fixes to the NC State GitHub Enterprise instance.

During the upgrade, no one will be able to interact with the GitHub service in any way. We expect the upgrade to take no longer than an hour. Any updates occurring during the upgrade process will be posted to the NC State Service Portal.

Any questions regarding the upgrade can be send to github@help.ncsu.edu.

Security fixes

  • HIGH: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of private mode by using a specially crafted API request. Private mode is the mechanism that enforces authentication for publicly-scoped resources. For more information, see “Enabling private mode.”This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-6847.
  • HIGH: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID CVE-2023-46647 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • HIGH: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-46645.
  • MEDIUM: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID CVE-2023-6746 for this vulnerability.
  • MEDIUM: Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-46648.
  • MEDIUM: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID CVE-2023-46649 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the “Get a check run” API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID CVE-2023-46646 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID CVE-2023-6690 for this vulnerability, which reported via the GitHub Bug Bounty program.
  • MEDIUM: An insertion of sensitive information into log file in the audit log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID CVE-2023-6802 for this vulnerability.
  • MEDIUM: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID CVE-2023-6803 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID CVE-2023-6804 for this vulnerability, which was reported via the GitHub Bug Bounty program.
  • MEDIUM: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required contents.write and issues.read permissions. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-51379.
  • MEDIUM: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-51380.
  • LOW: Pre-receive hooks have been further hardened against shell command injections.
  • LOW: To render interactive maps in an instance’s web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see “Configuring interactive maps.”
  • To address scenarios that could lead to denial of service, HAProxy has been upgraded to version 2.8.4.
  • Packages have been updated to the latest security versions.

Bug fixes

  • Some OAuth applications did not have device code flow (DCF) explicitly enabled, which prevented DCF from running correctly.
  • Support for authenticating to GitHub Enterprise Server from Visual Studio Code with a device code was unintentionally disabled.
  • Some responses from the REST API included an incorrect URL in the link header.
  • After a user started a repository transfer, if another user viewed the repository before the transfer finished, the repository overview rendered incorrectly.
  • On some instances, the user interface displayed a codespace button, even though GitHub Codespaces is not supported on GitHub Enterprise Server.
  • On an instance with GitHub Actions enabled, users occasionally got a 500 error when viewing a job with a pending deployment.
  • On an instance with GitHub Actions enabled, an issue with GH_TOKEN sometimes prevented GitHub Pages sites from building successfully in workflows.
  • A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository.

Changes

  • On an instance with Dependabot updates enabled, Dependabot relies on the node installation provided by the actions runner instead of dynamically downloading.
  • To improve reliability of release uploads in low-bandwidth environments, the time-to-live (TTL) value of the token for uploading release assets has increased from 1 hour to 3 hours.

Some changes have been omitted for brevity. Please refer to the GitHub Release notes for a complete changelog of the 3.10.4 upgrade.