7,500 pts
@kyprizel discovered a command injection vulnerability in the management interface for GitHub Enterprise. Exploitation did not require authentication, but the management interface runs on a different port by default and Enterprise administrators are encouraged to restrict access to this port for the appliance. Still, many instances were likely exploitable.
We addressed this vulnerability by not including request parameters in shell commands. We issued an unplanned update to GitHub Enterprise to quickly provide a fix to users.
This vulnerability only affected GitHub Enterprise version 2.5.X. If you are running the 2.5.X series, please ensure that you have updated to version 2.5.4 or higher. More details can be found in the v2.5.4 release notes.
2,500 pts
@kyprizel reported that legacy third-party API credentials were hardcoded in the source code distributed with GitHub Enterprise. The disclosed credentials were not found to be used maliciously.
We addressed the behavior by revoking the exposed credentials and removing them from the source code.
500 pts
@kyprizel reported that debugging output from our GitHub Pages infrastructure could be disclosed if a specific user-agent was used in requests to a GitHub Pages site. The disclosed information was found to not contain sensitive data. However, given the caching of our GitHub Pages infrastructure, this could be used to force a targeted GitHub Pages site to return the debug information instead of the intended site content for other users.
We addressed the behavior by removing support for debug requests within GitHub Pages.
