@ionicabizau reported a bug where a user audit log entry was created that disclosed another user’s IP address. When a user is invited to join an organization an audit log event is created when the user accepts the invitation and is added to their initial set of teams. This audit log event was visible to the user that initiated the invitation and contained the IP address of the user that accepted the invitation. We addressed this by removing this event type from the user audit log. The event is still visible in the organization audit log, but no IP address information is disclosed.
GitHub occasionaly lets users and organizations preview upcoming features through our early access program. For example, we recently used the early access program to preview Git LFS. @IonicaBizau identified and reported a bug that could allow an attacker to register another user for an early access feature. While we correctly restricted which organizations a user could register, we did not restrict which users could be registered. This was considered a low risk vulnerability since it did not directly allow an attacker any additional access to the user’s account (it only enabled new features for the registered user). We addressed this issue by ensuring a user can only register themselves, and organizations they administer, for early access features.