6,000 pts
@tunz identified a gap in the authorization of our newly shipped fork collaboration feature. The intended use case properly enforced that only maintainers of the parent repository could access fork branches after the PR author granted branch access. However, if a user created a pull request to merge the parent repository into their fork, they could use this feature to gain push access to the parent repository.
Given the severity of this issue, it was fixed immediately after the report was received. Additionally, a full audit was performed to identify all uses and misuses of the new feature. This ensured the vulnerability was not used to gain access to non-testing repositories and no cases of abuse were identified. Given the short lifetime of this issue, no enterprise releases are affected.
1,000 pts
@tunz found that javascript: URLs could be used in links in MathJax formulas in IPython Notebooks. If clicked, this could allow an attacker to execute JavaScript on the render.githubusercontent.com domain. While exploitation of this vulnerability was limited to a sandboxed domain, we still took the threat seriously. We addressed this issue by running MathJax in “safe mode”.
2,500 pts
@tunz found that malicious github-mac: URLs could be crafted, leading to arbitrary remote code execution when visited by users. This vulnerability was fixed in version 207 of the GitHub for Mac application.
