500 pts
@kyprizel discovered a way to inject limited request headers to internal Git proxy requests. While we were unable to find a way for an attacker to exploit the issue, the behavior was potentially dangerous and warranted a fix. We addressed the vulnerability by ensuring that the content-length header could not be injected and that the valid content-length header accurately represents the content ensuring other headers cannot be injected.
This issue has been fixed in GitHub Enterprise 2.8.7, 2.7.11, 2.6.16, 2.5.21, and 2.4.23.
2,500 pts
@kyprizel reported a denial of service vulnerability in our babeld service. The underlying cause of this issue was logging functionality that would be recursively called given certain input. We fixed this issue by restructuring our logging to not recurse without bounds. Similar code paths were audited for issues. This issue was fixed in GitHub Enterprise 2.8.3, 2.7.8, and 2.6.13.
500 pts
@kyprizel identified that credentials for an internal GitHub package service were accidently included in the released builds of GitHub Enterprise. We fixed this issue by excluding certain files from our GitHub Enterprise build process as well as removing and revoking these hardcoded credentials.
7,500 pts
@kyprizel discovered a command injection vulnerability in the management interface for GitHub Enterprise. Exploitation did not require authentication, but the management interface runs on a different port by default and Enterprise administrators are encouraged to restrict access to this port for the appliance. Still, many instances were likely exploitable.
We addressed this vulnerability by not including request parameters in shell commands. We issued an unplanned update to GitHub Enterprise to quickly provide a fix to users.
This vulnerability only affected GitHub Enterprise version 2.5.X. If you are running the 2.5.X series, please ensure that you have updated to version 2.5.4 or higher. More details can be found in the v2.5.4 release notes.
2,500 pts
@kyprizel reported that legacy third-party API credentials were hardcoded in the source code distributed with GitHub Enterprise. The disclosed credentials were not found to be used maliciously.
We addressed the behavior by revoking the exposed credentials and removing them from the source code.
500 pts
@kyprizel reported that debugging output from our GitHub Pages infrastructure could be disclosed if a specific user-agent was used in requests to a GitHub Pages site. The disclosed information was found to not contain sensitive data. However, given the caching of our GitHub Pages infrastructure, this could be used to force a targeted GitHub Pages site to return the debug information instead of the intended site content for other users.
We addressed the behavior by removing support for debug requests within GitHub Pages.
