The 2.17 series release notes contain important changes in this release series.
OAuth app authorization bypass
A CRITICAL vulnerability was identified that allows an attacker to authorize an OAuth application on the account of a targeted user without the approval of the targeted user. This would allow an attacker to execute actions on behalf of the targeted user via the authorized OAuth application. The attacker would need to be able to create an OAuth application on the affected GitHub Enterprise Server instance to perform this attack. Additionally, to execute the attack, the targeted user would need to visit an attacker controlled website.
The affected supported versions are:
- 2.14.0 - 2.14.23
- 2.15.0 - 2.15.16
- 2.16.0 - 2.16.11
- 2.17.0 - 2.17.2
We strongly recommend upgrading your GitHub Enterprise Server appliance to the latest patch release in your series, GitHub Enterprise Server 2.14.24, 2.15.17, 2.16.12, 2.17.3, or greater immediately. If you have any questions, please contact GitHub support at https://enterprise.github.com/support.
This vulnerability was reported through the GitHub Security Bug Bounty program.
Security Fixes
- CRITICAL: A malicious OAuth application could be authorized on a targeted user's account without requiring user approval, allowing an attacker to execute actions on behalf of the user.
Known Issues
- On a freshly set up GitHub Enterprise Server without any users, an attacker could create the first admin user.
- Custom firewall rules aren't maintained during an upgrade.
- Subversion (SVN) checkout may timeout while the repository data cache is being built. In most cases, subsequent svn checkout attempts will succeed.
- Git LFS tracked files uploaded through the web interface are incorrectly added directly to the repository.
- Issues cannot be closed if they contain a permalink to a blob in the same repository where the file path is longer than 255 characters.
- Resque workers may not be cleaned up following a configuration run leading to a growing number of stale workers which in turn could lead to high memory consumption.
- Hypervisor type and root volumes are incorrectly detected on AWS Nitro instance types, preventing non-hotpatch upgrades. (updated: 2019-07-09)
- Lines in gists are not selectable. (updated: 2019-07-19)
- When "Users can search GitHub.com" is enabled with GitHub Connect, issues in private and internal repositories are not included in GitHub.com search results.
Thanks!
The GitHub Team