@not-an-aardvark identified that when accessing Gists via Git using an OAuth or Personal Access Token, the provided token’s scope was not properly checked. This could have allowed an authorized OAuth application or Personal Access Token with minimal scopes to modify Gists. This vulnerability would not expose the URL of private Gists and did not affect code repositories on GitHub.com.
We addressed this issue by properly validating a token’s scope when Git operations are performed.
@not-an-aardvark reported that titles of private issues could be disclosed by marking a private issue as a duplicate of a public issue. New additions to keyword workflows in GitHub.com allow a user to comment on an issue and mark it as a duplicate of another. This action adds an indication on the referenced issue allowing other users to quickly view all issues that are duplicates of each other. In this case, private issue titles and private repo names would show up if a collaborator on a private repo marked an issue in that private repo as a duplicate of an issue found in a public repo.
We addressed this issue by refactoring our authorization checks for issue metadata. This issue does not effect GitHub Enterprise.