Ahacker1

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.22 **Description** A server-side request forgery (SSRF) issue exists where an unauthenticated attacker can send crafted requests to internal services due to insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker can bypass the intended request flow and redirect internal API calls, which may lead to the access of internal services and exposure of sensitive credentials. SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. **Recommendations** Update to version 3.16.20 Update to version 3.17.17 Update to version 3.18.11 Update to version 3.19.8 Update to version 3.20.4 Update to version 3.21.1

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21 **Description** An improper authorization issue exists where an authenticated attacker can determine the names of private repositories using their numeric ID. This occurs because the mobile upload policy API endpoint ''/mobile/upload policy'' fails to perform an early authorization check, resulting in validation error messages that disclose the full repository name for repositories the caller is not authorized to access. **Recommendations** Update to version 3.20.1 Update to version 3.19.5 Update to version 3.18.8 Update to version 3.17.14 Update to version 3.16.17 Update to version 3.15.21 Update to version 3.14.26

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21 **Description** An incorrect regular expression allows an attacker to bypass OAuth redirect URI validation. An attacker aware of a first-party OAuth application's registered callback URL can create a malicious authorization link. If a victim clicks this link, the OAuth authorization code is redirected to a domain controlled by the attacker, potentially granting unauthorized access to the victim's account based on the scopes granted to the OAuth application. **Recommendations** Update to version 3.20.1 Update to version 3.19.5 Update to version 3.18.8 Update to version 3.17.14 Update to version 3.16.17 Update to version 3.15.21 Update to version 3.14.26

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21 **Description** An authorization bypass allows an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. This occurs by manipulating the `owner id` parameter in the request body. While authorization is verified against the repository in the URL, the action is applied to the repository specified in the request body. The impact is limited to assigning existing trusted users as bypass reviewers and does not allow the addition of arbitrary external users. **Recommendations** Update to version 3.14.25 Update to version 3.15.20 Update to version 3.16.16 Update to version 3.17.13 Update to version 3.18.7 Update to version 3.19.4 Update to version 3.20.1

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21 **Description** An improper authorization issue exists in scoped user-to-server (`ghu `) token authorization. An authenticated attacker can access private repositories outside the intended installation scope, potentially performing write operations. This occurs due to an authorization fallback that treats a revoked or deleted installation as a global installation context, which may be combined with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. **Recommendations** Update to version 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.2 through 18.8.9, 18.9 through 18.9.5, and 18.10 through 18.10.3 Description A flaw exists in GitLab CE/EE that could allow an authenticated user to access confidential issues assigned to other users through CSV export. This is due to insufficient authorization checks during the export process. Recommendations Update to GitLab CE/EE version 18.8.9 or later. Update to GitLab CE/EE version 18.9.5 or later. Update to GitLab CE/EE version 18.10.3 or later.

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions 3.14.24 through 3.19.3 Description An improper authorization issue was found in GitHub Enterprise Server. A user with read access to a repository and write access to a project could modify issue and pull request metadata through the project. Column value updates were applied without verifying the actor's repository write permissions when adding an item to an existing project. This issue was reported through the GitHub Bug Bounty program. Recommendations Update to GitHub Enterprise Server version 3.14.24. Update to GitHub Enterprise Server version 3.15.19. Update to GitHub Enterprise Server version 3.16.15. Update to GitHub Enterprise Server version 3.17.12. Update to GitHub Enterprise Server version 3.18.6. Update to GitHub Enterprise Server version 3.19.3.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.20 GitHub Enterprise Server versions 3.19.2 through 3.19.2 GitHub Enterprise Server versions 3.18.5 through 3.18.5 GitHub Enterprise Server versions 3.17.11 through 3.17.11 GitHub Enterprise Server versions 3.16.14 through 3.16.14 GitHub Enterprise Server versions 3.15.18 through 3.15.18 GitHub Enterprise Server versions 3.14.23 through 3.14.23 **Description** A missing authorization check exists in the repository migration upload endpoint of GitHub Enterprise Server. An attacker with authentication to the instance can upload unauthorized content to another user’s repository migration export by supplying the migration identifier. This allows overwriting or replacing a victim’s migration archive, potentially leading to the download of attacker-controlled repository data during migration restores or automated imports. **Recommendations** Update to GitHub Enterprise Server version 3.20 or later. Update to GitHub Enterprise Server version 3.19.2. Update to GitHub Enterprise Server version 3.18.5. Update to GitHub Enterprise Server version 3.17.11. Update to GitHub Enterprise Server version 3.16.14. Update to GitHub Enterprise Server version 3.15.18. Update to GitHub Enterprise Server version 3.14.23.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.17.11 GitHub Enterprise Server versions prior to 3.18.5 GitHub Enterprise Server versions prior to 3.19.2 **Description** An authorization flaw exists in GitHub Enterprise Server that could allow an attacker to merge a pull request into a repository without necessary push permissions. This is due to an authorization bypass in the `enable auto merge` mutation for pull requests. The issue requires the target repository to allow forking and relies on opening a pull request from a fork controlled by the attacker. Successful exploitation is limited to pull requests with a clean status and branches lacking branch protection rules. **Recommendations** Update GitHub Enterprise Server to version 3.17.11 or later. Update GitHub Enterprise Server to version 3.18.5 or later. Update GitHub Enterprise Server to version 3.19.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 12.3 through 18.6.3 GitLab CE/EE versions 18.7 through 18.7.1 GitLab CE/EE versions 18.8 through 18.8.1 **Description** GitLab CE/EE is susceptible to a denial of service condition. An unauthenticated user can trigger this by sending repeated malformed SSH authentication requests. **Recommendations** Update GitLab CE/EE to version 18.6.4 or later. Update GitLab CE/EE to version 18.7.2 or later. Update GitLab CE/EE to version 18.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 18.6 through 18.8.1 **Description** GitLab CE/EE is affected by a high-severity issue that allows an attacker with knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses. The issue stems from an unchecked return value weakness in GitLab's authentication services. The vulnerability could enable full account takeover, potentially leading to access, modification, or deletion of sensitive code repositories and cloud secrets. Exploitation could also lead to supply chain attacks. There is no information available regarding the number of affected devices worldwide. **Recommendations** Upgrade to GitLab version 18.6.4 or later. Upgrade to GitLab version 18.7.2 or later. Upgrade to GitLab version 18.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** ruby-saml versions prior to 1.12.4 and 1.18.0 **Description** An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. This allows an attacker to execute a Signature Wrapping attack, which may lead to authentication bypass. **Recommendations** To resolve the issue, update ruby-saml to version 1.12.4 or 1.18.0, or later. As a temporary workaround, consider disabling the `checkPassword()` function or restricting access to the vulnerable `ruby-saml` module until a patch is available. Avoid using the `SAMLResponse` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 14.0 through 16.9.7 GitLab CE/EE versions 16.10 through 16.10.5 GitLab CE/EE versions 16.11 through 16.11.2 **Description** An issue has been discovered in GitLab CE/EE that affects the confidentiality of issues in public projects. It was possible to disclose the title and description of confidential issues via the user interface to unauthorized instance users. **Recommendations** For GitLab CE/EE versions 14.0 through 16.9.7, update to a version after 16.9.7 to resolve the issue. For GitLab CE/EE versions 16.10 through 16.10.5, update to a version after 16.10.5 to resolve the issue. For GitLab CE/EE versions 16.11 through 16.11.2, update to a version after 16.11.2 to resolve the issue. As a temporary workaround, consider restricting access to confidential issues in public projects until a patch is available.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.14.1 GitHub Enterprise Server versions 3.13.4 and earlier GitHub Enterprise Server versions 3.12.9 and earlier GitHub Enterprise Server versions 3.11.15 and earlier GitHub Enterprise Server versions 3.10.17 and earlier Description: A GitHub App installed in organizations could upgrade some permissions from read to write access without approval from an organization administrator. An attacker would require an account with administrator access to install a malicious GitHub App. This issue was reported via the GitHub Bug Bounty program. Recommendations: For GitHub Enterprise Server versions prior to 3.14.1, update to version 3.14.1 or later. For GitHub Enterprise Server versions prior to 3.13.4, update to version 3.13.4 or later. For GitHub Enterprise Server versions prior to 3.12.9, update to version 3.12.9 or later. For GitHub Enterprise Server versions prior to 3.11.15, update to version 3.11.15 or later. For GitHub Enterprise Server versions prior to 3.10.17, update to version 3.10.17 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.14 GitHub Enterprise Server versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16 are not affected, all versions prior to these are vulnerable. **Description** The issue is related to an XML signature wrapping vulnerability in GitHub Enterprise Server when using SAML authentication with specific identity providers. This vulnerability allows an attacker with direct network access to GitHub Enterprise Server to forge a SAML response, effectively granting themselves site administrator privileges. The vulnerability can be exploited to gain unauthorized access to the instance without requiring prior authentication. **Recommendations** For GitHub Enterprise Server versions prior to 3.13.3, update to version 3.13.3 or later. For GitHub Enterprise Server versions prior to 3.12.8, update to version 3.12.8 or later. For GitHub Enterprise Server versions prior to 3.11.14, update to version 3.11.14 or later. For GitHub Enterprise Server versions prior to 3.10.16, update to version 3.10.16 or later. As a temporary workaround, consider restricting access to SAML authentication until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.14 GitHub Enterprise Server versions 3.13.3, 3.12.8, and 3.11.14 are not vulnerable, but versions before these are affected. **Description** An Incorrect Authorization issue was identified, allowing an attacker to update the title, assignees, and labels of any issue inside a public repository. This issue was only exploitable inside a public repository and was reported via the GitHub Bug Bounty program. **Recommendations** For GitHub Enterprise Server versions prior to 3.14, update to version 3.13.3, 3.12.8, or 3.11.14 to resolve the issue. As a temporary workaround, consider restricting access to public repositories until a patch is applied. Avoid using the issue update functionality in public repositories until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.14 **Description** An exposure of sensitive information issue in GitHub Enterprise Server allows an attacker to enumerate the names of private repositories that utilize deploy keys. This issue does not allow unauthorized access to any repository content besides the name. The issue was reported via the GitHub Bug Bounty program. **Recommendations** For versions prior to 3.9.17, update to version 3.9.17. For versions prior to 3.10.14, update to version 3.10.14. For versions prior to 3.11.12, update to version 3.11.12. For versions prior to 3.12.6, update to version 3.12.6. For versions prior to 3.13.1, update to version 3.13.1. As a temporary workaround, consider restricting access to deploy keys until a patch is applied.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.14 Description: An Incorrect Authorization issue was identified in GitHub Enterprise Server, allowing read access to issue content via GitHub Projects. This issue was only exploitable in internal repositories and required the attacker to have access to the corresponding project board. Recommendations: For versions prior to 3.9.17, update to version 3.9.17. For versions prior to 3.10.14, update to version 3.10.14. For versions prior to 3.11.12, update to version 3.11.12. For versions prior to 3.12.6, update to version 3.12.6. For versions prior to 3.13.1, update to version 3.13.1. As a temporary workaround, consider restricting access to GitHub Projects in internal repositories until a patch is applied.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.14 GitHub Enterprise Server version 3.9.17 GitHub Enterprise Server version 3.10.14 GitHub Enterprise Server version 3.11.12 GitHub Enterprise Server version 3.12.6 GitHub Enterprise Server version 3.13.1 Description: An Incorrect Authorization issue was identified in GitHub Enterprise Server, allowing a suspended GitHub App to retain access to the repository via a scoped user access token. This issue was only exploitable in public repositories, while private repositories were not impacted. Recommendations: For GitHub Enterprise Server versions prior to 3.9.17, update to version 3.9.17. For GitHub Enterprise Server versions prior to 3.10.14, update to version 3.10.14. For GitHub Enterprise Server versions prior to 3.11.12, update to version 3.11.12. For GitHub Enterprise Server versions prior to 3.12.6, update to version 3.12.6. For GitHub Enterprise Server versions prior to 3.13.1, update to version 3.13.1. As a temporary workaround, consider restricting access to scoped user access tokens for suspended GitHub Apps until a patch is available.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.14 Description: A Cross-Site Request Forgery issue in GitHub Enterprise Server allowed write operations on a victim-owned repository by exploiting incorrect request types. The attacker would have to be a trusted GitHub Enterprise Server user, and the victim would have to visit a tag in the attacker's fork of their own repository. Recommendations: For versions prior to 3.9.17, update to version 3.9.17. For versions prior to 3.10.14, update to version 3.10.14. For versions prior to 3.11.12, update to version 3.11.12. For versions prior to 3.12.6, update to version 3.12.6. For versions prior to 3.13.1, update to version 3.13.1.