@x-crossfire discovered that repository Service Hooks can be used to create non-http requests from our webhook service. Some Service Hooks have a user-configurable URL, which is typically the location of the server where a data payload will be sent upon certain events occuring, such as a push to the repository. If a non-http scheme was specified in the URL, our webhook service would create a request matching the user-supplied scheme, allowing requests of arbitrary protocols to be made, such as SMTP, FILE, or GOPHER. While there is no known way to exploit this behavior, as there are firewall rules in place to block traffic to internal services and no known way an attacker could have read the responses from internal requests, GitHub addressed the vulnerability by ensuring URLs have an HTTP(S) scheme before making requests.
This issue has been fixed in GitHub Enterprise 2.11.0, 2.10.6, 2.9.11, and 2.8.19.