GitHub Enterprise Server Improper Authorization Vulnerability Allows Access to Private Repository Names

A vulnerability in GitHub Enterprise Server prior to version 3.21 allows authenticated attackers to access the names of private repositories by their numeric IDs. This issue arises from the mobile upload policy API endpoint, which fails to perform proper authorization checks. As a result, validation error messages inadvertently disclose full repository names for inaccessible private repositories. The vulnerability affects all versions of GitHub Enterprise Server prior to 3.21.

Impact

Exploitation of this vulnerability could lead to unauthorized knowledge of private repository names, potentially allowing for further targeted actions or exploits against those repositories.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the mobile upload policy API endpoint with a numeric ID corresponding to a private repository. The API response will include the repository name in the validation error message, without verifying the caller's access rights.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, or 3.14.26.