GitHub Enterprise Server Server-Side Request Forgery Vulnerability Allowing Sensitive Data Exposure

A Server-Side Request Forgery (SSRF) vulnerability has been identified in GitHub Enterprise Server versions prior to 3.21.1. This vulnerability allows an attacker to manipulate the server into making HTTP requests to internal services, exploiting the security advisories package lookup feature. By directing these requests to an internal management service and analyzing response times, an attacker could infer sensitive environment variable values, including signing secrets and private keys. Exploitation was possible without authentication on instances not running in private mode, and required authentication on private mode instances.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive environment variables, including signing secrets and private keys, which could be used to compromise the application's security.

Reproduction

The vulnerability can be reproduced by sending a crafted request through the security advisories package lookup feature, targeting an internal service that responds with sensitive environment variable data. This can be done without authentication on instances not in private mode, or by any authenticated user in private mode.

Remediation

Users can upgrade to GitHub Enterprise Server versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, or 3.16.19. Instructions for upgrading can be found in the GitHub Enterprise Server release notes.