GitHub Enterprise Server Improper Access Control Vulnerability Allowing Unauthorized Code Retrieval from Private Repositories

A vulnerability in GitHub Enterprise Server prior to 3.18 allows users with access to any repository to improperly access limited code content from another private repository. This is achieved by creating a diff between the repositories. The vulnerability requires knowledge of the private repository's name, along with its branches, tags, or commit SHAs, to exploit the compare/diff functionality and retrieve unauthorized code. Additionally, the user must have legitimate access to another repository within the same fork network.

Impact

Exploitation of this vulnerability could lead to unauthorized access to code in private repositories, allowing users to view or use code they do not have permission to access.

Reproduction

To reproduce this vulnerability, a user must have access to a repository within the same fork network as the target private repository. The user can then use the compare/diff functionality, providing the name of the private repository and its branches, tags, or commit SHAs, to retrieve limited code content from the unauthorized repository.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.14.17, 3.15.12, 3.16.8 or 3.17.5 to address this vulnerability.