jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-30 03:01:36 -05:00
Code Issues Projects Releases Wiki Activity
Files
feac4c738b2ad6d7fad7ef6bcaaad3e07372302d
docs/data/release-notes/enterprise-server/2-22/10.yml

17 lines
2.4 KiB
YAML
Raw Blame History

date: '2021-04-01'
sections:
security_fixes:
- "**HIGH:** An improper access control vulnerability was identified in GitHub Enterprise Server that allowed access tokens generated from a GitHub App's [web authentication flow](https://docs.github.com/en/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow) to read private repository metadata via the REST API without having been granted the appropriate permissions. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. The private repository metadata returned would be limited to repositories owned by the user the token identifies. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.0.4 and was fixed in versions 3.0.4, 2.22.10, 2.21.18. This vulnerability has been assigned CVE-2021-22865 and was reported via the [GitHub Bug Bounty Program](https://bounty.github.com)."
- Packages have been updated to the latest security versions.
bugs:
- A timezone set on GitHub Enterprise 11.10.x or earlier was not being used by some services which were defaulting to UTC time.
- Services were not transitioning to new log files as part of log rotation, resulting in increased disk usage.
- The label on search results for internal repositories was shown as "Private" instead of "Internal".
known_issues:
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules are not maintained during an upgrade.
- Git LFS tracked files [uploaded through the web interface](https://github.com/blog/2105-upload-files-to-your-repositories) are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
- When a replica node is offline in a high availability configuration, {% data variables.product.product_name %} may still route {% data variables.product.prodname_pages %} requests to the offline node, reducing the availability of {% data variables.product.prodname_pages %} for users.
Reference in New Issue View Git Blame Copy Permalink