From a0ad3bfe2a99c3092e76ca9b3d476cf30988ca55 Mon Sep 17 00:00:00 2001 From: Mike Bailey Date: Fri, 28 Oct 2022 15:26:55 -0400 Subject: [PATCH] Add CVE-2022-23738 to patch notes (#32151) Co-authored-by: Laura Coursen --- data/release-notes/enterprise-server/3-2/20.yml | 2 ++ data/release-notes/enterprise-server/3-3/15.yml | 2 ++ data/release-notes/enterprise-server/3-4/10.yml | 2 ++ data/release-notes/enterprise-server/3-5/7.yml | 2 ++ data/release-notes/enterprise-server/3-6/3.yml | 2 ++ 5 files changed, 10 insertions(+) diff --git a/data/release-notes/enterprise-server/3-2/20.yml b/data/release-notes/enterprise-server/3-2/20.yml index fb7235a2c8..4966e70f68 100644 --- a/data/release-notes/enterprise-server/3-2/20.yml +++ b/data/release-notes/enterprise-server/3-2/20.yml @@ -3,6 +3,8 @@ sections: security_fixes: - | **HIGH**: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including [CVE-2022-30123](https://github.com/advisories/GHSA-wq4h-7r42-5hrr) and [CVE-2022-29181](https://github.com/advisories/GHSA-xh29-r2w5-wx8m). + - | + **HIGH**: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned [CVE-2022-23738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23738). - | **MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209). - | diff --git a/data/release-notes/enterprise-server/3-3/15.yml b/data/release-notes/enterprise-server/3-3/15.yml index 7c0cc5feed..4212559476 100644 --- a/data/release-notes/enterprise-server/3-3/15.yml +++ b/data/release-notes/enterprise-server/3-3/15.yml @@ -3,6 +3,8 @@ sections: security_fixes: - | **HIGH**: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including [CVE-2022-30123](https://github.com/advisories/GHSA-wq4h-7r42-5hrr) and [CVE-2022-29181](https://github.com/advisories/GHSA-xh29-r2w5-wx8m). + - | + **HIGH**: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned [CVE-2022-23738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23738). - | **MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209). - | diff --git a/data/release-notes/enterprise-server/3-4/10.yml b/data/release-notes/enterprise-server/3-4/10.yml index b6faf466f6..a760316f87 100644 --- a/data/release-notes/enterprise-server/3-4/10.yml +++ b/data/release-notes/enterprise-server/3-4/10.yml @@ -3,6 +3,8 @@ sections: security_fixes: - | **HIGH**: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including [CVE-2022-30123](https://github.com/advisories/GHSA-wq4h-7r42-5hrr) and [CVE-2022-29181](https://github.com/advisories/GHSA-xh29-r2w5-wx8m). + - | + **HIGH**: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned [CVE-2022-23738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23738). - | **MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209). - | diff --git a/data/release-notes/enterprise-server/3-5/7.yml b/data/release-notes/enterprise-server/3-5/7.yml index 24c2784c0f..e5177e7983 100644 --- a/data/release-notes/enterprise-server/3-5/7.yml +++ b/data/release-notes/enterprise-server/3-5/7.yml @@ -3,6 +3,8 @@ sections: security_fixes: - | **HIGH**: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including [CVE-2022-30123](https://github.com/advisories/GHSA-wq4h-7r42-5hrr) and [CVE-2022-29181](https://github.com/advisories/GHSA-xh29-r2w5-wx8m). + - | + **HIGH**: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned [CVE-2022-23738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23738). - | **MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209). - | diff --git a/data/release-notes/enterprise-server/3-6/3.yml b/data/release-notes/enterprise-server/3-6/3.yml index e76e8a49c9..84c7045197 100644 --- a/data/release-notes/enterprise-server/3-6/3.yml +++ b/data/release-notes/enterprise-server/3-6/3.yml @@ -3,6 +3,8 @@ sections: security_fixes: - | **HIGH**: Updated dependencies for the Management Console to the latest patch versions, which addresses security vulnerabilities including [CVE-2022-30123](https://github.com/advisories/GHSA-wq4h-7r42-5hrr) and [CVE-2022-29181](https://github.com/advisories/GHSA-xh29-r2w5-wx8m). + - | + **HIGH**: Added checks to address an improper cache key vulnerability that allowed an unauthorized actor to access private repository files through a public repository. This vulnerability has been assigned [CVE-2022-23738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23738). - | **MEDIUM**: Updated [CommonMarker](https://github.com/gjtorikian/commonmarker) to address a scenario where parallel requests to the Markdown REST API could result in unbounded resource exhaustion. This vulnerability has been assigned [CVE-2022-39209](https://nvd.nist.gov/vuln/detail/CVE-2022-39209). - |