R31N

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21.1 **Description** A Server-Side Request Forgery (SSRF) allows an attacker to force the server to send HTTP requests to internal services through the security advisories package lookup feature. By targeting an internal management service and analyzing response timing, an attacker can infer sensitive environment variables, such as private keys and signing secrets. This issue requires GitHub Packages to be enabled. On instances not operating in private mode, the flaw is exploitable without authentication; otherwise, it requires an authenticated user. **Recommendations** Update to version 3.21.1 or later. Update to version 3.20.3. Update to version 3.19.7. Update to version 3.18.10. Update to version 3.17.16. Update to version 3.16.19. As a temporary mitigation, disable GitHub Packages to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21 **Description** A server-side request forgery (SSRF) issue exists in the notebook viewer. This occurs due to URL parser confusion between the validation layer and the HTTP request library, where the hostname validation uses a different parser than the request library. This allows a crafted URL to bypass validation and direct requests to unintended internal services. Exploitation requires network access to the instance. **Recommendations** Update to version 3.16.18 Update to version 3.17.15 Update to version 3.18.9 Update to version 3.19.6 Update to version 3.20.2 Update to version 3.21 or later

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.21 **Description** A server-side request forgery (SSRF) allows an attacker to extract sensitive environment variables from an instance via a timing side-channel attack against the notebook rendering service. When private mode is disabled, the notebook viewer follows HTTP redirects without revalidating the destination host, enabling unauthenticated SSRF to internal services. By chaining the instance's open redirect endpoint through an external redirect to reach internal services and using regex filter queries against an internal API to measure response time differences, an attacker can infer secret values character by character. **Recommendations** Update to version 3.14.26 Update to version 3.15.21 Update to version 3.16.17 Update to version 3.17.14 Update to version 3.18.8 Update to version 3.19.5 Update to version 3.20.1 Enable private mode to prevent the notebook viewer from following redirects to internal services.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.17.11 GitHub Enterprise Server versions prior to 3.18.5 GitHub Enterprise Server versions prior to 3.19.2 **Description** An authorization flaw exists in GitHub Enterprise Server that could allow an attacker to merge a pull request into a repository without necessary push permissions. This is due to an authorization bypass in the `enable auto merge` mutation for pull requests. The issue requires the target repository to allow forking and relies on opening a pull request from a fork controlled by the attacker. Successful exploitation is limited to pull requests with a clean status and branches lacking branch protection rules. **Recommendations** Update GitHub Enterprise Server to version 3.17.11 or later. Update GitHub Enterprise Server to version 3.18.5 or later. Update GitHub Enterprise Server to version 3.19.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.19 GitHub Enterprise Server versions 3.19.2 GitHub Enterprise Server versions 3.18.4 GitHub Enterprise Server versions 3.17.10 GitHub Enterprise Server versions 3.16.13 GitHub Enterprise Server versions 3.15.17 GitHub Enterprise Server versions 3.14.22 **Description** An URL redirection issue exists in GitHub Enterprise Server. This flaw allows an attacker to control redirects, potentially exposing sensitive authorization tokens. Specifically, the `repository pages` API improperly handles HTTP redirects when retrieving artifact URLs, carrying over the authorization header which includes a JWT (JSON Web Token). An authenticated user could redirect these requests to a domain controlled by an attacker, leading to the theft of the Actions.ManageOrgs JWT. This stolen token could then be used for potential remote code execution. Exploitation requires access to the target GitHub Enterprise Server and the ability to exploit a redirect to an attacker-controlled domain. **Recommendations** Upgrade to GitHub Enterprise Server version 3.19.2 or later. Upgrade to GitHub Enterprise Server version 3.18.4 or later. Upgrade to GitHub Enterprise Server version 3.17.10 or later. Upgrade to GitHub Enterprise Server version 3.16.13 or later. Upgrade to GitHub Enterprise Server version 3.15.17 or later. Upgrade to GitHub Enterprise Server version 3.14.22 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.17 GitHub Enterprise Server version 3.13.0 **Description** A Remote Code Execution (RCE) vulnerability was identified in GitHub Enterprise Server that allowed attackers to execute arbitrary code by exploiting the pre-receive hook functionality, potentially leading to privilege escalation and system compromise. The vulnerability involves using dynamically allocated ports that become temporarily available, such as during a hot patch upgrade. This means the vulnerability is only exploitable during specific operational conditions, which limits the attack window. Exploitation required either site administrator permissions to enable and configure pre-receive hooks or a user with permissions to modify repositories containing pre-receive hooks where this functionality was already enabled. **Recommendations** For GitHub Enterprise Server versions prior to 3.17, update to version 3.16.2, 3.15.6, 3.14.11, or 3.13.14 to fix the vulnerability. As a temporary workaround, consider disabling the pre-receive hook functionality until a patch is available. Restrict access to the pre-receive hook functionality to minimize the risk of exploitation. Avoid using the pre-receive hook functionality during hot patch upgrades until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.10.17 GitHub Enterprise Server versions prior to 3.11.15 GitHub Enterprise Server versions prior to 3.12.9 GitHub Enterprise Server versions prior to 3.13.4 GitHub Enterprise Server versions prior to 3.14.1 Description: A Cross-Site Scripting (XSS) issue was identified in the repository transfer feature of GitHub Enterprise Server. This allows attackers to steal sensitive user information via social engineering. Recommendations: For versions prior to 3.10.17, update to version 3.10.17 or later. For versions prior to 3.11.15, update to version 3.11.15 or later. For versions prior to 3.12.9, update to version 3.12.9 or later. For versions prior to 3.13.4, update to version 3.13.4 or later. For versions prior to 3.14.1, update to version 3.14.1 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.13 **Description** A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. Exploitation required authenticated access to GitHub Enterprise Server as a user with the Site Administrator role. **Recommendations** For versions prior to 3.12.5, update to version 3.12.5. For versions prior to 3.11.11, update to version 3.11.11. For versions prior to 3.10.13, update to version 3.10.13. For versions prior to 3.9.16, update to version 3.9.16. As a temporary workaround, consider restricting access to the GitHub Enterprise Server instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server versions 3.9 through 3.9.12 GitHub Enterprise Server versions 3.10 through 3.10.9 GitHub Enterprise Server versions 3.11 through 3.11.7 **Description** A server side request forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin access to the appliance when configuring the Artifacts & Logs and Migrations Storage. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability was reported via the GitHub Bug Bounty program. **Recommendations** For GitHub Enterprise Server versions prior to 3.9.13, update to version 3.9.13 or later. For GitHub Enterprise Server versions 3.10 through 3.10.9, update to version 3.10.10 or later. For GitHub Enterprise Server versions 3.11 through 3.11.7, update to version 3.11.8 or later. For GitHub Enterprise Server versions 3.12 through 3.12.1, update to version 3.12.2 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server version 3.12 through 3.12.1 GitHub Enterprise Server version 3.11 through 3.11.7 GitHub Enterprise Server version 3.10 through 3.10.9 GitHub Enterprise Server version 3.9 through 3.9.12 **Description** A command injection issue was identified in GitHub Enterprise Server, allowing an attacker with an editor role in the Management Console to gain admin SSH access to the instance when configuring the chat integration. Exploitation of this issue required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This issue was reported via the GitHub Bug Bounty program. **Recommendations** For GitHub Enterprise Server versions prior to 3.9.13, update to version 3.9.13. For GitHub Enterprise Server versions 3.10 through 3.10.9, update to version 3.10.10. For GitHub Enterprise Server versions 3.11 through 3.11.7, update to version 3.11.8. For GitHub Enterprise Server versions 3.12 through 3.12.1, update to version 3.12.2.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.13 GitHub Enterprise Server versions 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1 are not affected as they contain the fix, so the correct range is: GitHub Enterprise Server versions prior to 3.8.17, 3.9.12, 3.10.9, 3.11.7, and 3.12.1 are affected, but to simplify: GitHub Enterprise Server versions prior to 3.13 **Description** A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring GeoJSON settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. This vulnerability was reported via the GitHub Bug Bounty program. **Recommendations** For GitHub Enterprise Server versions prior to 3.8.17, update to version 3.8.17. For GitHub Enterprise Server versions 3.8.x and prior to 3.9.12, update to version 3.9.12. For GitHub Enterprise Server versions 3.9.x and prior to 3.10.9, update to version 3.10.9. For GitHub Enterprise Server versions 3.10.x and prior to 3.11.7, update to version 3.11.7. For GitHub Enterprise Server versions 3.11.x and prior to 3.12.1, update to version 3.12.1. For GitHub Enterprise Server versions 3.12.x and prior to 3.13, update to version 3.13 or later.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.12 **Description** A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when setting up an HTTP proxy. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. **Recommendations** For versions prior to 3.11.5, update to version 3.11.5 or later. For versions prior to 3.10.7, update to version 3.10.7 or later. For versions prior to 3.9.10, update to version 3.9.10 or later. For versions prior to 3.8.15, update to version 3.8.15 or later. As a temporary workaround, consider restricting access to the Management Console to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions prior to 3.12 GitHub Enterprise Server version 3.11.5 GitHub Enterprise Server version 3.10.7 GitHub Enterprise Server version 3.9.10 GitHub Enterprise Server version 3.8.15 **Description** A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance when configuring SAML settings. Exploitation of this vulnerability required access to the GitHub Enterprise Server instance and access to the Management Console with the editor role. **Recommendations** For GitHub Enterprise Server versions prior to 3.12, update to version 3.12 or later to resolve the issue. For GitHub Enterprise Server version 3.11.5, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 3.10.7, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 3.9.10, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 3.8.15, no additional action is required as this version already contains the fix. As a temporary workaround, consider restricting access to the Management Console with the editor role until a patch is available.