GitHub Enterprise Server Improper Authorization Vulnerability Allows Metadata Modification on Issues and Pull Requests

A vulnerability in GitHub Enterprise Server was identified, allowing users with read access to a repository and write access to a project to improperly modify issue and pull request metadata. This was achieved by adding duplicate items to a project, which triggered column value updates without verifying the user's repository write permissions. The vulnerability affects GitHub Enterprise Server versions 3.14.0 prior to 3.14.24, 3.15.0 prior to 3.15.19, 3.16.0 prior to 3.16.15, 3.17.0 prior to 3.17.12, 3.18.0 prior to 3.18.6, and 3.19.0 prior to 3.19.3.

Impact

Exploitation of this vulnerability allowed for unauthorized modifications of issue and pull request metadata, including labels, assignees, and other related information.

Reproduction

To reproduce this vulnerability, a user must have read access to a repository and write access to a project. The user can then add an item to a project that already contains items, which will result in an update of the project's column values. This process bypasses the normal authorization checks that would typically prevent such modifications without proper permissions.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 or 3.19.3 to address this vulnerability.