@jonathanwalker discovered that
CODEOWNERS files allows unverified email addresses when mapping addresses to GitHub usernames. If a
CODEOWNERS file contains email addresses that do not have an associated GitHub account then an attacker can add that email address to their account and become a codeowner. This allows malicious organization members to bypass the “Require review from Code Owners” check on protected branches. This only bypassed the “Require review from Code Owners” check and did not bypass other protected branch checks such as “Restrict who can push to this branch”. We fixed this issue by only considering verified email addresses when mapping email addresses in
CODEOWNERS files to GitHub users.