docs-bot
@@ -8,36 +8,36 @@ intro: |
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1802](https://www.cve.org/cverecord?id=CVE-2024-1802) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1082](https://www.cve.org/cverecord?id=CVE-2024-1082) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker could create new branches in public repositories, and run workflows in target repositories with read and write permission for GITHUB_TOKEN. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2023-51381](https://www.cve.org/cverecord?id=CVE-2023-51381) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2024-1084](https://www.cve.org/cverecord?id=CVE-2024-1084) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**LOW:** An attacker could decrypt the user section of the enterprise user license list JSON file by using an exposed private key. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
- |
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
- |
|
||||
Pre-receive hook failures were not visible in the administrator audit log due to an incomplete bug fix.
|
||||
Pre-receive hook failures were not visible in the administrator audit log due to an incomplete bug fix.
|
||||
- |
|
||||
When restoring a deleted repository, some metadata associated with the repository, such as packages or project items, did not properly restore.
|
||||
- |
|
||||
@@ -46,7 +46,7 @@ sections:
|
||||
During Git data server maintenance, a process that was ran on unsupported GitHub Enterprise Server topologies created a significant amount of system logs but did not perform any repair work.
|
||||
changes:
|
||||
- |
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
|
||||
@@ -2,34 +2,34 @@ date: '2024-02-13'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1802](https://www.cve.org/cverecord?id=CVE-2024-1802) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1082](https://www.cve.org/cverecord?id=CVE-2024-1082) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker could create new branches in public repositories, and run workflows in target repositories with read and write permission for GITHUB_TOKEN. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2023-51381](https://www.cve.org/cverecord?id=CVE-2023-51381) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2024-1084](https://www.cve.org/cverecord?id=CVE-2024-1084) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**LOW:** An attacker could decrypt the user section of the enterprise user license list JSON file by using an exposed private key. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
- |
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
- |
|
||||
On an instance with a GitHub Advanced Security license, the code scanning "Tools" status page incorrectly displayed an **Add tool** button when Actions was disabled.
|
||||
- |
|
||||
@@ -39,10 +39,10 @@ sections:
|
||||
- |
|
||||
When restoring a deleted repository, some metadata associated with the repository, such as packages or project items, did not properly restore.
|
||||
- |
|
||||
During Git data server maintenance, a process that was ran on unsupported GitHub Enterprise Server topologies created a significant amount of system logs but did not perform any repair work.
|
||||
During Git data server maintenance, a process that was ran on unsupported GitHub Enterprise Server topologies created a significant amount of system logs but did not perform any repair work.
|
||||
changes:
|
||||
- |
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
|
||||
@@ -2,39 +2,39 @@ date: '2024-02-13'
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1802](https://www.cve.org/cverecord?id=CVE-2024-1802) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1082](https://www.cve.org/cverecord?id=CVE-2024-1082) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2023-51381](https://www.cve.org/cverecord?id=CVE-2023-51381) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2024-1084](https://www.cve.org/cverecord?id=CVE-2024-1084) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**LOW:** An attacker could decrypt the user section of the enterprise user license list JSON file by using an exposed private key. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
Packages have been updated to the latest versions.
|
||||
Packages have been updated to the latest versions.
|
||||
bugs:
|
||||
- |
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
- |
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
- |
|
||||
Users could not use integrations to mark a pull request as ready for review.
|
||||
- |
|
||||
During Git data server maintenance, a process that was ran on unsupported GitHub Enterprise Server topologies created a significant amount of system logs but did not perform any repair work.
|
||||
changes:
|
||||
- |
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
|
||||
@@ -8,43 +8,43 @@ intro: |
|
||||
sections:
|
||||
security_fixes:
|
||||
- |
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1802](https://www.cve.org/cverecord?id=CVE-2024-1802) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker could gain unauthorized read permission to files by deploying arbitrary symbolic links to a GitHub Pages site with a specially crafted artifact tarball. GitHub has requested CVE ID [CVE-2024-1082](https://www.cve.org/cverecord?id=CVE-2024-1082) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when configuring SAML settings. GitHub has requested CVE ID [CVE-2024-1372](https://www.cve.org/cverecord?id=CVE-2024-1372) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting an HTTP proxy. GitHub has requested CVE ID [CVE-2024-1359](https://www.cve.org/cverecord?id=CVE-2024-1359) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring SMTP options. GitHub has requested CVE ID [CVE-2024-1378](https://www.cve.org/cverecord?id=CVE-2024-1378) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `actions-console` docker container while setting a service URL. GitHub has requested CVE ID [CVE-2024-1355](https://www.cve.org/cverecord?id=CVE-2024-1355) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection in the `syslog-ng` configuration file. GitHub has requested CVE ID [CVE-2024-1354](https://www.cve.org/cverecord?id=CVE-2024-1354) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection when setting the username and password for `collectd` configurations. GitHub has requested CVE ID [CVE-2024-1369](https://www.cve.org/cverecord?id=CVE-2024-1369) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**HIGH:** An attacker with an editor role in the Management Console could gain admin SSH access to the appliance by command injection into nomad templates when configuring audit log forwarding. GitHub has requested CVE ID [CVE-2024-1374](https://www.cve.org/cverecord?id=CVE-2024-1374) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**HIGH:** An attacker could create new branches in public repositories, and run workflows in target repositories with read and write permission for GITHUB_TOKEN. This vulnerability was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2023-51381](https://www.cve.org/cverecord?id=CVE-2023-51381) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
**MEDIUM:** An attacker could make changes to a user account by taking advantage of a Cross-site Scripting vulnerability in the tag name pattern field in the tag protections UI. Exploitation of this vulnerability required user interaction with malicious javascript on a website along with further social engineering. GitHub has requested CVE ID [CVE-2024-1084](https://www.cve.org/cverecord?id=CVE-2024-1084) for this vulnerability, which was reported via the [GitHub Bug Bounty program](https://bounty.github.com/).
|
||||
- |
|
||||
**LOW:** An attacker could decrypt the user section of the enterprise user license list JSON file by using an exposed private key. This vulnerability was reported via the [GitHub Bug Bounty](https://bounty.github.com/) program.
|
||||
- |
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
Packages have been updated to the latest security versions.
|
||||
bugs:
|
||||
- |
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
On startup, Elasticsearch logged an innocuous JMX MBeans registration error.
|
||||
- |
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
Hunk headers in C# files did not correctly display changed functions.
|
||||
- |
|
||||
Pre-receive hook failures were not visible in the administrator audit log. A previous bug fix for this issue was incomplete.
|
||||
Pre-receive hook failures were not visible in the administrator audit log. A previous bug fix for this issue was incomplete.
|
||||
- |
|
||||
When restoring a deleted repository, some metadata associated with the repository, such as packages or project items, did not properly restore.
|
||||
- |
|
||||
During Git data server maintenance, a process that was ran on unsupported GitHub Enterprise Server topologies created a significant amount of system logs but did not perform any repair work.
|
||||
changes:
|
||||
- |
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
The default 30 second webhook delivery HTTP timeout can be configured.
|
||||
known_issues:
|
||||
- |
|
||||
Custom firewall rules are removed during the upgrade process.
|
||||
|
||||
Reference in New Issue
Block a user