Kyle Carberry

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server version 3.17 Description: An exposure of sensitive information issue was identified that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the "Search API" endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization’s repositories. Recommendations: For GitHub Enterprise Server version 3.17, update to version 3.17.2 to resolve the issue. As a temporary workaround, consider restricting the installation of GitHub Apps to trusted sources until the update is applied. Restrict access to the Search API endpoint to minimize the risk of exploitation.