@orangetw discovered a SQL injection vulnerability in an ORDER BY clause that affected a few endpoints only available on GitHub Enterprise instances. We addressed the vulnerability, which allowed arbitary interpolation or parameters within the clause, by restricting the parameter values to known sort directions and known columns. While this report predates GitHub Enterprise being in scope for our bounty program, we accepted this report.

This vulnerability was fixed in GitHub Enterprise 2.8.5 and 2.7.9.