From f8ff144c0bbad105290c7a7281848ccdcf22cc60 Mon Sep 17 00:00:00 2001 From: Mike Bailey Date: Thu, 21 Dec 2023 16:07:36 -0500 Subject: [PATCH] PSIRT docs fix for December Release (#48259) --- .../enterprise-server/3-10/4.yml | 20 ++++-- .../enterprise-server/3-11/1.yml | 62 +++++++++++-------- .../enterprise-server/3-7/19.yml | 48 +++++++------- .../enterprise-server/3-8/12.yml | 21 +++++-- .../release-notes/enterprise-server/3-9/7.yml | 20 ++++-- 5 files changed, 106 insertions(+), 65 deletions(-) diff --git a/data/release-notes/enterprise-server/3-10/4.yml b/data/release-notes/enterprise-server/3-10/4.yml index 3cb27a147a67..4e49c2333d46 100644 --- a/data/release-notes/enterprise-server/3-10/4.yml +++ b/data/release-notes/enterprise-server/3-10/4.yml @@ -12,17 +12,25 @@ sections: This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-6847](https://www.cve.org/cverecord?id=CVE-2023-6847). - | - **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID [CVE-2023-46647](https://nvd.nist.gov/vuln/detail/CVE-2023-46647) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID [CVE-2023-46647](https://www.cve.org/cverecord?id=CVE-2023-46647) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://nvd.nist.gov/vuln/detail/CVE-2023-6746) for this vulnerability. + **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645). - | - **MEDIUM:** Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). + **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/cverecord?id=CVE-2023-6746) for this vulnerability. - | - **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://nvd.nist.gov/vuln/detail/CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). - | - **MEDIUM:** An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://nvd.nist.gov/vuln/detail/CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID [CVE-2023-46649](https://www.cve.org/cverecord?id=CVE-2023-46649) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://nvd.nist.gov/vuln/detail/CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://www.cve.org/cverecord?id=CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://www.cve.org/cverecord?id=CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An insertion of sensitive information into log file in the audit log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6802](https://www.cve.org/CVERecord?id=CVE-2023-6802) for this vulnerability. + - | + **MEDIUM**: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID [CVE-2023-6803](https://www.cve.org/cverecord?id=CVE-2023-6803) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://www.cve.org/cverecord?id=CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). - | diff --git a/data/release-notes/enterprise-server/3-11/1.yml b/data/release-notes/enterprise-server/3-11/1.yml index 85ef55abcba4..2abf8099f5ff 100644 --- a/data/release-notes/enterprise-server/3-11/1.yml +++ b/data/release-notes/enterprise-server/3-11/1.yml @@ -3,64 +3,76 @@ sections: security_fixes: - | **HIGH**: An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of private mode by using a specially crafted API request. Private mode is the mechanism that enforces authentication for publicly-scoped resources. For more information, see "[AUTOTITLE](/admin/configuration/hardening-security-for-your-enterprise/enabling-private-mode)." - + This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-6847](https://www.cve.org/cverecord?id=CVE-2023-6847). - | - **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645). + **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645). + - | + **MEDIUM**: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID [CVE-2023-46649](https://www.cve.org/cverecord?id=CVE-2023-46649) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An insertion of sensitive information into log file in the audit log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6802](https://www.cve.org/CVERecord?id=CVE-2023-6802) for this vulnerability. + - | + **MEDIUM**: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID [CVE-2023-6803](https://www.cve.org/cverecord?id=CVE-2023-6803) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM:** Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). + - | + **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/CVERecord?id=CVE-2023-6746) for this vulnerability. + - | + **MEDIUM:** An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://www.cve.org/CVERecord?id=CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://nvd.nist.gov/vuln/detail/CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://www.cve.org/CVERecord?id=CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). - | **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380). - | **LOW:** To render interactive maps in an instance's web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see "[AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps)." - | - To address scenarios that could lead to denial of service, HAProxy has been upgraded to version 2.8.4. + To address scenarios that could lead to denial of service, HAProxy has been upgraded to version 2.8.4. - | - Packages have been updated to the latest security versions. + Packages have been updated to the latest security versions. bugs: - | - In rare cases, on an instance with GitHub Actions enabled, a failed check on a deleted repository could cause upgrades to a new version of GitHub Enterprise Server to fail. + In rare cases, on an instance with GitHub Actions enabled, a failed check on a deleted repository could cause upgrades to a new version of GitHub Enterprise Server to fail. - | - Error messages were not shown when `ghe-config-apply` encountered specific kinds of errors. + Error messages were not shown when `ghe-config-apply` encountered specific kinds of errors. - | - In some environments, stale `.backup` log files could accumulate in the system. + In some environments, stale `.backup` log files could accumulate in the system. - | - On an instance hosted on AWS, when configuring GitHub Packages, virtual-hosted-style AWS S3 URLs would default to path-style URLs if a `region-code` was included. For more information, see [Virtual hosting of buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the AWS documentation. + On an instance hosted on AWS, when configuring GitHub Packages, virtual-hosted-style AWS S3 URLs would default to path-style URLs if a `region-code` was included. For more information, see [Virtual hosting of buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the AWS documentation. - | - In some cases, when an administrator uploaded a custom TLS certificate, the certificate was not correctly installed on the instance. + In some cases, when an administrator uploaded a custom TLS certificate, the certificate was not correctly installed on the instance. - | - Because the `|` character was not permitted, administrators could not add an SMTP username to authenticate with the Azure Communication Service. + Because the `|` character was not permitted, administrators could not add an SMTP username to authenticate with the Azure Communication Service. - | - In some cases, upgrades to GitHub Enterprise Server 3.11 could fail due to the Consul server failing to start. + In some cases, upgrades to GitHub Enterprise Server 3.11 could fail due to the Consul server failing to start. - | Endpoints for the REST API's Manage GitHub Enterprise Server operation returned `internal service error` if `cluster.conf` was not found on the instance. - | - On an instance with GitHub Actions enabled, an issue with `GH_TOKEN` sometimes prevented GitHub Pages sites from building successfully in workflows. + On an instance with GitHub Actions enabled, an issue with `GH_TOKEN` sometimes prevented GitHub Pages sites from building successfully in workflows. - | - An administrator could enable GitHub Connect on an instance with a license that does not support GitHub Connect. + An administrator could enable GitHub Connect on an instance with a license that does not support GitHub Connect. - | - On an instance GitHub Connect enabled, some system users were incorrectly counted as consuming a license following license sync. + On an instance GitHub Connect enabled, some system users were incorrectly counted as consuming a license following license sync. - | - A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository. + A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository. - | - When using `ghe-migrator` to import repositories into GitHub Enterprise Server, the `conflicts` and `audit` subcommands produced an invalid CSV file due to an extra log line appended to the file. + When using `ghe-migrator` to import repositories into GitHub Enterprise Server, the `conflicts` and `audit` subcommands produced an invalid CSV file due to an extra log line appended to the file. - | - On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns. + On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns. - | - On an instance with a GitHub Advanced Security license and secret scanning enabled, webhooks for alert locations did not contain information about push protection bypasses. + On an instance with a GitHub Advanced Security license and secret scanning enabled, webhooks for alert locations did not contain information about push protection bypasses. changes: - | - On an instance with Dependabot updates enabled, Dependabot relies on the node installation provided by the actions runner instead of dynamically downloading. + On an instance with Dependabot updates enabled, Dependabot relies on the node installation provided by the actions runner instead of dynamically downloading. - | - To avoid negative effects on disk utilization, `babeld` log files have a maximum size of 15 GB. + To avoid negative effects on disk utilization, `babeld` log files have a maximum size of 15 GB. - | - When using `ghe-migrator prepare` to import an archive, a missing `schema.json` file results in an `UnsupportedArchive` error rather than an `UnsupportedSchemaVersion` error. + When using `ghe-migrator prepare` to import an archive, a missing `schema.json` file results in an `UnsupportedArchive` error rather than an `UnsupportedSchemaVersion` error. - | - The audit log now tracks all failed password attempts individually. Previously, duplicate failed password attempts in sequence within the same day would be grouped into one failed password attempt, with a `count` field. + The audit log now tracks all failed password attempts individually. Previously, duplicate failed password attempts in sequence within the same day would be grouped into one failed password attempt, with a `count` field. - | - On an instance in a cluster configuration, administrators can identify the repository networks or gists that are common across a specified set of storage nodes using the `spokesctl find-on-replicas` command. + On an instance in a cluster configuration, administrators can identify the repository networks or gists that are common across a specified set of storage nodes using the `spokesctl find-on-replicas` command. known_issues: - | Custom firewall rules are removed during the upgrade process. diff --git a/data/release-notes/enterprise-server/3-7/19.yml b/data/release-notes/enterprise-server/3-7/19.yml index c88501f06e87..d99bf0af7ae9 100644 --- a/data/release-notes/enterprise-server/3-7/19.yml +++ b/data/release-notes/enterprise-server/3-7/19.yml @@ -2,53 +2,57 @@ date: '2023-12-21' sections: security_fixes: - | - **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://nvd.nist.gov/vuln/detail/CVE-2023-6746) for this vulnerability. + **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645). - | - **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://nvd.nist.gov/vuln/detail/CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/CVERecord?id=CVE-2023-6746) for this vulnerability. - | - **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). + **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://www.cve.org/CVERecord?id=CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). + - | + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380). - | **LOW:** To render interactive maps in an instance's web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see "[AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps)." - | - Packages have been updated to the latest security versions. + Packages have been updated to the latest security versions. bugs: - | - When an administrator ran the `ghe-support-bundle` or `ghe-cluster-support-bundle` command, the `-p` flag did not produce bundles with log durations as specified. The duration period can now only be specified in `days`. Additionally, unnecessary files were sanitized by the commands. + When an administrator ran the `ghe-support-bundle` or `ghe-cluster-support-bundle` command, the `-p` flag did not produce bundles with log durations as specified. The duration period can now only be specified in `days`. Additionally, unnecessary files were sanitized by the commands. - | - On an instance in a cluster configuration, upgrades could fail due to a background job running during database migration. + On an instance in a cluster configuration, upgrades could fail due to a background job running during database migration. - | - On an instance in a high availability configuration, the `ghe-repl-teardown` command failed when provided with a UUID. + On an instance in a high availability configuration, the `ghe-repl-teardown` command failed when provided with a UUID. - | - In some environments, stale `.backup` log files could accumulate in the system. + In some environments, stale `.backup` log files could accumulate in the system. - | - On an instance hosted on AWS, when configuring GitHub Packages, virtual-hosted-style AWS S3 URLs would default to path-style URLs if a `region-code` was included. For more information, see [Virtual hosting of buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the AWS documentation. + On an instance hosted on AWS, when configuring GitHub Packages, virtual-hosted-style AWS S3 URLs would default to path-style URLs if a `region-code` was included. For more information, see [Virtual hosting of buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html) in the AWS documentation. - | - Because the `|` character was not permitted, administrators could not add an SMTP username to authenticate with the Azure Communication Service. + Because the `|` character was not permitted, administrators could not add an SMTP username to authenticate with the Azure Communication Service. - | - On an instance with a GitHub Advanced Security license and secret scanning enabled, site administrators using the `ghe-secret-scanning` command would not see a relevant error message if their input was invalid. + On an instance with a GitHub Advanced Security license and secret scanning enabled, site administrators using the `ghe-secret-scanning` command would not see a relevant error message if their input was invalid. - | - After importing a migration archive using `ghe-migrator` or REST API endpoints for organization migrations, in some cases, some review comments within pull requests were not associated with lines of code. + After importing a migration archive using `ghe-migrator` or REST API endpoints for organization migrations, in some cases, some review comments within pull requests were not associated with lines of code. - | - On an instance with a GitHub Advanced Security license and secret scanning enabled, secret scanning alert emails were sent to organization owners even if their email address did not comply with domain restrictions. + On an instance with a GitHub Advanced Security license and secret scanning enabled, secret scanning alert emails were sent to organization owners even if their email address did not comply with domain restrictions. - | - A missing executable on the PATH caused the `ghe-spokesctl ssh` command to fail. + A missing executable on the PATH caused the `ghe-spokesctl ssh` command to fail. - | - On an instance GitHub Connect enabled, some system users were incorrectly counted as consuming a license following license sync. + On an instance GitHub Connect enabled, some system users were incorrectly counted as consuming a license following license sync. - | - A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository. + A user in the process of being converted into an organization could be added as a collaborator on a repository. This resulted in the new organizations owners unexpectedly receiving access to the repository. - | - Pre-receive hook failures were not visible in the administrator audit log. + Pre-receive hook failures were not visible in the administrator audit log. - | - On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns. + On an instance with a GitHub Advanced Security license and secret scanning enabled, dry runs sometimes incorrectly reported no results for custom patterns. changes: - | - When adding a node to an instance, performance is improved during initial database replication. + When adding a node to an instance, performance is improved during initial database replication. - | - An administrator can run the new `ghe-check-background-upgrade-jobs` command to ensure all upgrade jobs that run in the background have finished. This allows the administrator to know when they can start the next upgrade to their GitHub Enterprise Server instance. + An administrator can run the new `ghe-check-background-upgrade-jobs` command to ensure all upgrade jobs that run in the background have finished. This allows the administrator to know when they can start the next upgrade to their GitHub Enterprise Server instance. - | - When using `ghe-migrator prepare` to import an archive, a missing `schema.json` file results in an `UnsupportedArchive` error rather than an `UnsupportedSchemaVersion` error. + When using `ghe-migrator prepare` to import an archive, a missing `schema.json` file results in an `UnsupportedArchive` error rather than an `UnsupportedSchemaVersion` error. - | - As a security measure, GitHub Pages does not build sites that contain symbolic links except when using custom GitHub Actions workflows. When the page builder encounters a symbolic link, the build will fail with an error indicating that the symbolic link should be dereferenced. Custom workflows for GitHub Pages are available in GitHub Enterprise Server 3.7 and later. + As a security measure, GitHub Pages does not build sites that contain symbolic links except when using custom GitHub Actions workflows. When the page builder encounters a symbolic link, the build will fail with an error indicating that the symbolic link should be dereferenced. Custom workflows for GitHub Pages are available in GitHub Enterprise Server 3.7 and later. known_issues: - | Custom firewall rules are removed during the upgrade process. diff --git a/data/release-notes/enterprise-server/3-8/12.yml b/data/release-notes/enterprise-server/3-8/12.yml index 5adae2c45d66..f90fecedba56 100644 --- a/data/release-notes/enterprise-server/3-8/12.yml +++ b/data/release-notes/enterprise-server/3-8/12.yml @@ -2,20 +2,29 @@ date: '2023-12-21' sections: security_fixes: - | - **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID [CVE-2023-46647](https://nvd.nist.gov/vuln/detail/CVE-2023-46647) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID [CVE-2023-46647](https://www.cve.org/cverecord?id=CVE-2023-46647) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://nvd.nist.gov/vuln/detail/CVE-2023-6746) for this vulnerability. + **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645). - | - **MEDIUM:** Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). + **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/cverecord?id=CVE-2023-6746) for this vulnerability. - | - **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://nvd.nist.gov/vuln/detail/CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). - | - **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://nvd.nist.gov/vuln/detail/CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID [CVE-2023-46649](https://www.cve.org/cverecord?id=CVE-2023-46649) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM:** An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://nvd.nist.gov/vuln/detail/CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://www.cve.org/cverecord?id=CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://www.cve.org/cverecord?id=CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An insertion of sensitive information into log file in the Audit Log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6802](https://www.cve.org/CVERecord?id=CVE-2023-6802) for this vulnerability. + - | + **MEDIUM**: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID [CVE-2023-6803](https://www.cve.org/cverecord?id=CVE-2023-6803) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repo. GitHub has requested CVE ID [CVE-2023-6804](https://www.cve.org/cverecord?id=CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). - | + **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be read with an improperly scoped token. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51380](https://www.cve.org/CVERecord?id=CVE-2023-51380). **LOW:** Pre-receive hooks have been further hardened against shell command injections. - | **LOW:** To render interactive maps in an instance's web UI using Azure Maps, GitHub Enterprise Server has migrated from use of an unsecure Azure Maps API token to a more secure access token provided by role-based access control (RBAC) in Entra ID. After upgrading to this release, to re-enable interactive maps, an administrator must reconfigure authentication to Azure Maps in the Management Console. For more information, see "[AUTOTITLE](/admin/configuration/configuring-user-applications-for-your-enterprise/configuring-interactive-maps)." diff --git a/data/release-notes/enterprise-server/3-9/7.yml b/data/release-notes/enterprise-server/3-9/7.yml index 3df27a1d33ed..8117b2c73866 100644 --- a/data/release-notes/enterprise-server/3-9/7.yml +++ b/data/release-notes/enterprise-server/3-9/7.yml @@ -12,17 +12,25 @@ sections: This vulnerability would allow unauthenticated attackers to gain access to various types of resources set as public on the instance. To exploit this vulnerability, an attacker would need network access to the GitHub Enterprise Server instance configured in private mode. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-6847](https://www.cve.org/cverecord?id=CVE-2023-6847). - | - **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID [CVE-2023-46647](https://nvd.nist.gov/vuln/detail/CVE-2023-46647) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **HIGH**: An attacker with access to a Management Console user account with the editor role could escalate privileges by making requests to the endpoint used for bootstrapping the instance, and then reset the root site administrator password. GitHub has requested CVE ID [CVE-2023-46647](https://www.cve.org/cverecord?id=CVE-2023-46647) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://nvd.nist.gov/vuln/detail/CVE-2023-6746) for this vulnerability. + **HIGH**: A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46645](https://www.cve.org/cverecord?id=CVE-2023-46645). - | - **MEDIUM:** Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). + **MEDIUM**: An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server backend service that could permit an adversary in the middle attack when combined with other phishing techniques. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6746](https://www.cve.org/cverecord?id=CVE-2023-6746) for this vulnerability. - | - **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://nvd.nist.gov/vuln/detail/CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Due to an insufficient entropy vulnerability, an attacker could brute force a user invitation to the Management Console. To exploit this vulnerability, an attacker would have needed knowledge that a user invitation was pending. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program and assigned [CVE-2023-46648](https://www.cve.org/CVERecord?id=CVE-2023-46648). - | - **MEDIUM:** An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://nvd.nist.gov/vuln/detail/CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: An attacker could maintain admin access via a race condition when an organization was converted from a user. GitHub has requested CVE ID [CVE-2023-46649](https://www.cve.org/cverecord?id=CVE-2023-46649) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | - **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped personal access token. To exploit this, a workflow must have already existed in the target repository. GitHub has requested CVE ID [CVE-2023-6804](https://nvd.nist.gov/vuln/detail/CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + **MEDIUM**: Due to an improper access control, an attacker could view private repository names by enumerating check run IDs with the "Get a check run" API endpoint. This vulnerability did not allow unauthorized access to any repository content other than the name. GitHub has requested CVE ID [CVE-2023-46646](https://www.cve.org/cverecord?id=CVE-2023-46646) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An attacker could maintain admin access to a transferred repository in a race condition by making a GraphQL mutation to alter repository permissions during the transfer. GitHub has requested CVE ID [CVE-2023-6690](https://www.cve.org/cverecord?id=CVE-2023-6690) for this vulnerability, which reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: An insertion of sensitive information into log file in the audit log in GitHub Enterprise Server was identified that that could allow an attacker to gain access to the Management Console. To exploit this, an attacker would need access to the log files for the GitHub Enterprise Server instance, a backup archive created with GitHub Enterprise Server Backup Utilities, or a service which received streamed logs. GitHub has requested CVE ID [CVE-2023-6802](https://www.cve.org/CVERecord?id=CVE-2023-6802) for this vulnerability. + - | + **MEDIUM**: A race condition in GitHub Enterprise Server allowed an outside collaborator to be added while a repository is being transferred. GitHub has requested CVE ID [CVE-2023-6803](https://www.cve.org/cverecord?id=CVE-2023-6803) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). + - | + **MEDIUM**: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. GitHub has requested CVE ID [CVE-2023-6804](https://www.cve.org/cverecord?id=CVE-2023-6804) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/). - | **MEDIUM**: An incorrect authorization vulnerability was identified that allowed issue comments to be updated with an improperly scoped token. This vulnerability did not allow unauthorized access to any repository content as it also required `contents.write` and `issues.read` permissions. This vulnerability was reported via the [GitHub Bug Bounty Program](https://bounty.github.com/) and has been assigned [CVE-2023-51379](https://www.cve.org/CVERecord?id=CVE-2023-51379). - |