The 2.12 series release notes contain important changes in this release series.
A file path traversal vulnerability in GitHub Enterprise
A CRITICAL issue was identified that allows an attacker with repository write access to create Pages sites that can display the content of system files. This could used to further escalate the vulnerability to execute arbitrary commands on the GitHub Enterprise appliance.
The affected supported versions are:
- 2.12.0 - 2.12.17
- 2.13.0 - 2.13.9
- 2.14.0 - 2.14.3
GitHub Enterprise 2.11 is not vulnerable.
We strongly recommend upgrading your GitHub Enterprise appliance to the latest patch release in your series, GitHub Enterprise 2.12.18, 2.13.10, 2.14.4, or greater.
- CRITICAL: A file path traversal vulnerability in GitHub Pages could allow users to display the content of local files.
- MEDIUM: Access may have been inadvertently granted to internal IP addresses of GitHub Enterprise. The fix removed any access grants via an IP address.
- LOW: A malicious user could execute a 'tab-nabbing' attack by exploiting
window.opener when linking from GitHub Enterprise hosted Markdown content.
- Packages have been updated to the latest security versions.
- Deleting an SNMPv3 user via
ghe-snmpv3-remove-user did not remove all account data, preventing administrators from updating the password for the SNMPv3 user.
- Terminating the
ghe-set-password command could result in unexpected shell behavior.
- Messages sent from the email service hook failed due to a recent security update.
- Adding a new integration failed if the license seat limit was reached.
- Admins can see which repositories are using GitHub Services with
- Images uploaded to issues save with an absolute URL, so they can be broken if the hostname changes.
- On a freshly set up GitHub Enterprise without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- svn checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Pull request review comments migrated with
ghe-migrator are displayed in the wrong order.
- Git LFS, release and issue assets, user profile images, webhooks, or Subversion access may be unavailable if an appliance is restarted after applying the 2.12.5 or greater hotpatch—if this occurs, please contact Enterprise Support for assistance.
The GitHub Team