CVE-2020-10517

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 2.22 GitHub Enterprise Server version 2.21.6 GitHub Enterprise Server version 2.20.15 GitHub Enterprise Server version 2.19.21

Description An improper access control issue was identified in GitHub Enterprise Server, allowing authenticated users to determine the names of unauthorized private repositories given their numerical IDs. This issue did not allow unauthorized access to any repository content besides the name. The issue was reported via the GitHub Bug Bounty program.

Recommendations For GitHub Enterprise Server versions prior to 2.22, update to version 2.22 or later to resolve the issue. For GitHub Enterprise Server version 2.21.6, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 2.20.15, no additional action is required as this version already contains the fix. For GitHub Enterprise Server version 2.19.21, no additional action is required as this version already contains the fix.