GitHub Enterprise Server Server-Side Request Forgery Vulnerability Allowing Sensitive Data Exfiltration

A server-side request forgery (SSRF) vulnerability has been identified in GitHub Enterprise Server versions prior to 3.21. This vulnerability allows an attacker to extract sensitive environment variables from the instance by exploiting a timing side-channel in the notebook rendering service. When private mode is off, the notebook viewer follows HTTP redirects without validating the destination host, creating an opportunity for an unauthenticated SSRF attack on internal services. By combining this with regex filter queries against an internal API and analyzing response time variations, an attacker could deduce secret values character by character. Exploitation requires private mode to be disabled and the ability to redirect through an external link to access internal services.

Impact

Successful exploitation allows unauthorized access to sensitive environment variables, including secrets, through a timing side-channel attack. This could lead to further exploitation or data leakage.

Reproduction

To reproduce this vulnerability, disable private mode in the notebook viewer. Then, use a notebook that can follow HTTP redirects to an internal service. Measure the response times to infer secret values character by character.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.14.26, 3.15.21, 3.16.17, 3.17.14, 3.18.8, 3.19.5, or 3.20.1.