On Thursday, January 18th at 5PM EST, the GitHub Service Team will take the GitHub Enterprise service offline for an emergency upgrade. We expect the upgrade to take no longer than an hour to complete. Any updates will be made to the NC State Service Portal.
Security fixes
- HIGH: An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console. GitHub has requested CVE ID CVE-2024-0507 for this vulnerability, which was reported via the GitHub Bug Bounty program.
- HIGH: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. Private Mode is the mechanism that enforces authentication for publicly-scoped resources and this vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public within the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in Private Mode. This vulnerability was reported via the GitHub Bug Bounty program. This vulnerability was reported via the GitHub Bug Bounty program and assigned CVE-2023-6847.
- HIGH: An attacker could leverage an unsafe reflection vulnerability in GitHub Enterprise Server (GHES) that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the GHES instance with the organization owner role. GitHub has requested CVE ID CVE-2024-0200 for this vulnerability, which was reported via the GitHub Bug Bounty program.
- MEDIUM: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the GitHub Bug Bounty Program and has been assigned CVE-2023-51380.
- Packages have been updated to the latest security versions.
Bug fixes
- Support for authenticating to GitHub Enterprise Server using GitHub CLI OAuth App with a device code was unintentionally disabled.
- During periods of high load, users would see intermittent interruptions to services when upstream services failed internal health checks.
- On an instance with GitHub Actions enabled, some maintenance tasks could fail due to incomplete upgrade steps during previous upgrades to new releases of GitHub Enterprise Server.
- Deleting a repository would enqueue unnecessary background jobs that would never complete.
- When creating a new custom pattern for secret scanning, the “More options” section of the custom pattern form automatically collapsed when a user entered an invalid regex in the post processing expressions (before/after secret match or additional secret requirements).
- On an instance with a GitHub Advanced Security license and secret scanning enabled, users could experience a
500
error when viewing a secret scanning alert page in cases where the alerted commits belonged to the user and one or more commits could not be found. - On an instance that uses SAML for authentication, an upgrade from GitHub Enterprise Server 3.7 to 3.9 could result in user login failures due to an outdated gem dependency.
Changes
- To avoid leaking secrets, the logging of all parameters is disabled for Management Console events in enterprise audit logs.