GitHub Enterprise Server Missing Authorization Vulnerability in Security Overview

A missing authorization vulnerability exists in GitHub Enterprise Server versions prior to 3.17. This vulnerability allows users to view the names of private repositories they do not have access to, specifically in the Security Overview section of GitHub Advanced Security. The issue arises when the Security Overview is filtered using only the 'archived:' filter, bypassing normal access controls. This vulnerability was addressed in GitHub Enterprise Server versions 3.13.14, 3.14.11, 3.15.6, and 3.16.2.

Impact

Exploitation of this vulnerability allows unauthorized visibility into private repository names, potentially leading to further privacy or security concerns.

Reproduction

To reproduce this vulnerability, access the Security Overview in GitHub Advanced Security on a GitHub Enterprise Server instance prior to 3.17. Apply a filter that includes only 'archived:' which will bypass the normal access controls. This will reveal the names of private repositories that the user does not have permission to access.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.13.14, 3.14.11, 3.15.6, or 3.16.2 to address this vulnerability.