Teddy Katz

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions 2.4.21 through 2.20.23 GitHub Enterprise Server versions 2.21.0 through 2.21.14 GitHub Enterprise Server versions 2.22.0 through 2.22.6 GitHub Enterprise Server versions 3.0.0 **Description** An improper access control issue was identified in GitHub Enterprise Server, allowing authenticated users to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. To exploit this, an attacker would need to be able to fork the targeted repository, a setting that is disabled by default for organization-owned private repositories. Branch protections, such as required pull request reviews or status checks, would prevent unauthorized commits from being merged without further review or validation. **Recommendations** For GitHub Enterprise Server versions 2.4.21 through 2.20.23, update to version 2.20.24. For GitHub Enterprise Server versions 2.21.0 through 2.21.14, update to version 2.21.15. For GitHub Enterprise Server versions 2.22.0 through 2.22.6, update to version 2.22.7. For GitHub Enterprise Server versions 3.0.0, update to version 3.0.1.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions 3.0.0, 3.0.0.rc2, and 3.0.0.rc1 **Description** An improper access control issue was identified that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This issue existed due to a flaw that allowed the base reference of a pull request to be updated to point to an arbitrary SHA or another pull request outside of the fork repository. By establishing this incorrect reference in a PR, the restrictions that limit the Actions secrets sent a workflow from forks could be bypassed. **Recommendations** For GitHub Enterprise Server version 3.0.0, update to a version that includes the fix for this issue. For GitHub Enterprise Server version 3.0.0.rc2, update to a version that includes the fix for this issue. For GitHub Enterprise Server version 3.0.0.rc1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the ability to fork repositories and update the base reference of pull requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GitHub Enterprise Server versions 2.12.22 through 2.20.23 GitHub Enterprise Server versions 2.21.0 through 2.21.14 GitHub Enterprise Server versions 2.22.0 through 2.22.6 GitHub Enterprise Server versions 3.0.0 **Description** An improper access control issue was identified in the GitHub Enterprise Server GraphQL API, allowing authenticated users to modify the maintainer collaboration permission of a pull request without proper authorization. This could enable an attacker to gain access to head branches of pull requests opened on repositories of which they are a maintainer. However, forking is disabled by default for organization-owned private repositories, which would prevent this issue. Additionally, branch protections such as required pull request reviews or status checks would prevent unauthorized commits from being merged without further review or validation. **Recommendations** For GitHub Enterprise Server versions 2.12.22 through 2.20.23, update to version 2.20.24 or later. For GitHub Enterprise Server versions 2.21.0 through 2.21.14, update to version 2.21.15 or later. For GitHub Enterprise Server versions 2.22.0 through 2.22.6, update to version 2.22.7 or later. For GitHub Enterprise Server versions 3.0.0, update to version 3.0.1 or later.