Syvb

**Name of the Vulnerable Software and Affected Versions** GitHub Copilot CLI versions prior to 1.0.43 **Description** An issue exists where a malicious bare git repository nested inside a project directory can lead to arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can configure executable keys to run arbitrary commands without user awareness or approval. This occurs because certain git configuration keys, such as `core.fsmonitor`, `core.hookspath`, `diff.external`, and `merge.tool`, can specify shell commands that git executes during normal operations like `status`, `diff`, or `rev-parse`. **Recommendations** Update GitHub Copilot CLI to version 1.0.43 or later. Exercise caution when working in repositories that contain nested bare git repositories. Review project directories for unexpected bare repositories, especially in `vendor/`, `third party/`, or deeply nested subdirectories.

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.10.17 GitHub Enterprise Server versions prior to 3.11.15 GitHub Enterprise Server versions prior to 3.12.9 GitHub Enterprise Server versions prior to 3.13.4 GitHub Enterprise Server versions prior to 3.14.1 Description: An improper privilege management issue allowed arbitrary workflows to be committed using an improperly scoped Personal Access Token (PAT) through the use of nested tags. This issue was reported via the GitHub Bug Bounty program. Recommendations: For versions prior to 3.10.17, update to version 3.10.17 or later. For versions prior to 3.11.15, update to version 3.11.15 or later. For versions prior to 3.12.9, update to version 3.12.9 or later. For versions prior to 3.13.4, update to version 3.13.4 or later. For versions prior to 3.14.1, update to version 3.14.1 or later.