@brxxn discovered that in certain cases, when a user was authorizing an OAuth application, the authorization page would not display all of the requested scopes. Because certain scopes would not be displayed, it was possible for users to be misled into granting an application more permissions than they intended. This affected the scopes for GPG keys, team discussions, packages, and businesses. Additionally, the
site_admin scope was affected on GitHub Enterprise. We addressed the vulnerability by ensuring that every OAuth scope has an associated view that will be displayed when an application requests it, and adding a linter to ensure that any new OAuth scopes in the future will have a corresponding view.
This issue has been fixed in GitHub Enterprise 2.14.20, 2.15.13, and 2.16.8.