GitHub Desktop Information Disclosure Vulnerability via Network Share Access
Vulnerability
A vulnerability in GitHub Desktop prior to version 3.4.20-beta3 allows for information disclosure on Windows systems. When a user views a file in a commit history, GitHub Desktop accesses the file through Git commands. As a security measure, Git resolves file paths to ensure they are within the repository. However, this can inadvertently lead Git to access a network share path, triggering Windows to perform NTLM authentication. This process can expose the computer name, the signed-in Windows username, and an NTLM hash. Users on macOS are not affected.
Impact
Exploitation of this vulnerability can lead to unauthorized information disclosure via NTLM authentication, exposing sensitive data such as the computer name, Windows username, and NTLM hash.
Remediation
Users should update GitHub Desktop to version 3.4.20 or later. Those on the beta channel should update to 3.4.20-beta3.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.